Information Assurance and Information Technology: Training ... · This final report entital “Information Assurance and Information Technology: Training, Certification and Personnel

Final Report

Information Assurance andInformation Technology:

Training, Certification, andPersonnel Management inthe Department of Defense

Information Assurance and Information TechnologyHuman ResourcesIntegrated Process Team

August 27, 1999

Office of the Secretary of Defense

Form SF298 Citation Data

Report Date("DD MON YYYY") 27081999

Report TypeN/A

Dates Covered (from... to)("DD MON YYYY")

Title and Subtitle Information Assurance and Information Technology: Training,Certification, and Personnel Management in the Department of Defense

Contract or Grant Number

Program Element Number

Authors Project Number

Task Number

Work Unit Number

Performing Organization Name(s) and Address(es) Office of the Secretary of Defense

Performing Organization Number(s)

Sponsoring/Monitoring Agency Name(s) and Address(es) Monitoring Agency Acronym

Monitoring Agency Report Number(s)

Distribution/Availability Statement Approved for public release, distribution unlimited

Supplementary Notes

Abstract

Subject Terms

Document Classification unclassified

Classification of SF298 unclassified

Classification of Abstract unclassified

Limitation of Abstract unlimited

Number of Pages 153

REPORT DOCUMENTATION PAGEForm Approved

OMB No. 074-0188Public reporting burden for this collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources, gathering andmaintaining the data needed, and completing and reviewing this collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information,including suggestions for reducing this burden to Washington Headquarters Services, Directorate for Information Operations and Reports, 1215 Jefferson Davis Highway, Suite 1204, Arlington, VA22202-4302, and to the Office of Management and Budget, Paperwork Reduction Project (0704-0188), Washington, DC 20503

1. AGENCY USE ONLY (Leave blank) 2. REPORT DATE

8/27/993. REPORT TYPE AND DATES COVERED

Report4. TITLE AND SUBTITLE

Information Assurance and Information Technology: Training,Certification, and Personnel Management in the Departmentof Defense

5. FUNDING NUMBERS

6. AUTHOR(S)

Secretary of Defense

7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES) 8. PERFORMING ORGANIZATION REPORT NUMBER

IATACInformation Assurance Technology AnalysisCenter3190 Fairview Park DriveFalls Church VA 220429. SPONSORING / MONITORING AGENCY NAME(S) AND ADDRESS(ES) 10. SPONSORING / MONITORING

AGENCY REPORT NUMBER

Defense Technical Information CenterDTIC-IA8725 John J. Kingman Rd, Suite 944Ft. Belvoir, VA 2206011. SUPPLEMENTARY NOTES

12a. DISTRIBUTION / AVAILABILITY STATEMENT 12b. DISTRIBUTION CODE

A

13. ABSTRACT (Maximum 200 Words)

This final report entital “Information Assurance and Information Technology: Training,Certification and Personnel Management in the Department of Defense was prepared by theInformation Assurance and Information Technology Human Resources Integrated Process Team,was published in August 1999. The DoD’s warfighting capability and the security of itsinformation infrastructure are at great risk from attacks by foreign intelligenceorganizations, cyber-terrorists, and the incompetencies of some of its own users. Just asdangerous is the shortage of adequately trained and managed information technologyprofessionals, particularly in the area of information assurance. The shortage of trainedpeople is also critical in other parts of the public sector and in the private sector aswell. In 1998, the Deputy Secretary of Defense tasked Assistant Secretary of Defense (C3I)and the Under Secretary of Defense (P&R) to establish an Information Technology andInformation Assurance Human Resources Integrated Process Team. This team would recommendactions, processes, and policies that would address the weakest link in DoD’s defense ofits information infrastructure—the people who use, administer, and manage it. The team,composed of representatives from14. SUBJECT TERMS

Information Assurance, INFOSEC15. NUMBER OF PAGES

16. PRICE CODE

17. SECURITY CLASSIFICATION OF REPORT

Unclassified

18. SECURITY CLASSIFICATION OF THIS PAGE

UNCLASSIFIED

19. SECURITY CLASSIFICATION OF ABSTRACT

UNCLASSIFIED

20. LIMITATION OF ABSTRACT

None

ii

Abstract and Keywords

Abstract: The DoD’s warfighting capability and the security of its informationinfrastructure are at great risk from attacks by foreign intelligence organizations, cyber-terrorists, and the incompetencies of some of its own users. Just as dangerous is theshortage of adequately trained and managed information technology professionals,particularly in the area of information assurance. The shortage of trained people is alsocritical in other parts of the public sector and in the private sector as well. In 1998, theDeputy Secretary of Defense tasked Assistant Secretary of Defense (C3I) and the UnderSecretary of Defense (P&R) to establish an Information Technology and InformationAssurance Human Resources Integrated Process Team. This team would recommendactions, processes, and policies that would address the weakest link in DoD’s defense of itsinformation infrastructure—the people who use, administer, and manage it. The team,composed of representatives from 15 DoD organizations, concentrated on problems andissues in (1) workforce management and (2) IT and IA training and certification. In less thansix months, the team developed a set of recommendations, projected results if therecommendations were implemented, cost estimates, and a five-year time line.

Keywords: Information technology (IT), information assurance (IA), Clinger-CohenCompetencies, workforce, manpower, human resources, management, weapons systems,computers, computer networks, Department of Defense, information security (INFOSEC),computer security, policies and procedures.

iii

Contents

Executive Summary ...................................................................................................................... ES-1

1. The Problems...................................................................................................................................1

1.1 Background..............................................................................................................................11.2 Goals of the IT/IA Human Resources Integrated Process Team ..................................11.3 Overview of Problems and Issues........................................................................................21.4 Data Collection and Analysis. ...............................................................................................4

2. Workforce Management.................................................................................................................9

2.1 Findings and Recommendations ..........................................................................................92.2 Discussion and Analysis.......................................................................................................10

3. Training and Certification ............................................................................................................13

3.1 IT Management Training: Findings and Recommendations..........................................133.2 IT Management Training: Discussion and Analysis ........................................................133.3 IA Training: Findings and Conclusions.............................................................................163.4 IA Training: Discussion and Analysis................................................................................17

4. Roadmap to Improvements.........................................................................................................23

4.1 Implementing the IPT Recommendations .......................................................................234.2 Priorities .................................................................................................................................244.3 Costs .......................................................................................................................................254.4 Timeline for Implementation..............................................................................................254.5 Future Issues to be Addressed by OSD ............................................................................25

Appendix A. Private Sector Recruiting and Retention Techniques......................................... A-1

Appendix B. Recruiting and Retaining Information Technology Professionals....................B-1

Appendix C. Clinger-Cohen Competencies (IT Functions) ..................................................... C-1

Appendix D. Information Assurance Functions ........................................................................D-1

Appendix E. Data Call Results ...................................................................................................... E-1

Appendix F. Military IT Occupational Specialties.......................................................................F-1

Appendix G. Requirements for IT/IA Coding of DoD Manpower/PersonnelDatabases..........................................................................................................................................G-1

Appendix H. Certification Requirements for System/Network Administrators..................H-1

iv

Appendix I. Certification Requirements for Threat and Vulnerability Assessments ..............I-1

Appendix J. Certification Requirements for Computer Emergency Response Team ............J-1

Appendix K. Service/Agency Costs to Implement Recommendation..................................K-1

Appendix L. Schedule of Recommendations...............................................................................L-1

References.................................................................................................................................... Refs-1

Acronyms and Abbreviations .................................................................................................Acros-1

v

Figures

Figure 1. Total Service Population Divided by Type of Major Command...................... E-4

Figure 2. Framework for IA Results...................................................................................... E-5

Figure 3. Summary of Service Infrastructure in IA Sampling Requirements ................. E-5

Figure 4. IA Resource Distribution by Function for the Services ..................................E-11

Figure 5. Relative Distribution of DIA IA Resource by Function .................................E-13

Figure 6. Relative Distribution of NIMA IA Resources by Function............................E-13

Figure 7. Reported DISA IA Resources by Function.......................................................E-14

Figure 8. Personnel vs. Time Spent on IA for the Services .............................................E-15

Figure 9. Full-Time vs. Part-Time Distribution for DIA, DISA, JCS, and DLA .........E-16

Figure 10. Level of Training for the Services ......................................................................E-17

Figure 11. Personnel Background Breakdown for Army and Air Force..........................E-19

Figure 12. Personnel Background for Selected DoD Agencies.........................................E-19

vi

Tables

Table ES- 1. Recommendations and Their Priorities..............................................................ES-3

Table 1. IPT Organization..........................................................................................................2

Table 2. Incentives – FY1997 Through March 1999........................................................... 12

Table 3. Anticipated Results and Implementation Status ................................................... 23

Table 4. IPT Recommendations and Their Costs................................................................ 26

Table 5. IA Functions ............................................................................................................ E-2

Table 6. Sampling Plan for IA Data Call............................................................................. E-6

Table 7. IT Occupational Codes Within DoD................................................................... E-6

Table 8. Data Call Response Received................................................................................. E-8

Table 9. Population Count Used to Scale the Services ...................................................E-10

Table 10. Summary of IA Service Resources .....................................................................E-12

Table 11. Level of Training for the Agencies .....................................................................E-18

Table 12. Information Management (3A) ..............................................................................F-5

Table 13. Communications/Computer Systems Operator (3C) .........................................F-5

Table 14. Computer-Computer Systems Operations (3C0X1) ...........................................F-6

Table 15. Computer-Computer Systems Programming (3C0X2).......................................F-6

Table 16. Radio Communications Systems (3C1X1)............................................................F-6

Table 17. Electronics Spectrum Management (3C1X2).......................................................F-7

Table 18. Computer-Computer Systems Control (3C2X1) .................................................F-7

Table 19. Planning and Implementation (3C3X1) ................................................................F-7

Table 20. Communications and Information Officer (33S) ................................................F-8

Table 21. Communications and Information Systems (33SX)............................................F-8

vii

Table 22. Communications/Computer Systems Engineer (33XSA)..................................F-9

Table 23. Information Systems Operator Analyst (74B) .................................................. F-10

Table 24. Telecommunications Operator-Maintainer (74C)............................................. F-10

Table 25. Telecommunications Computer Operator- Maintainer (74G)........................ F-10

Table 26. Information Systems Chief (74Z)....................................................................... F-11

Table 27. Information Systems Management (AOC 53A) ............................................... F-11

Table 28. Signal (Information Systems) Operations (AOC 25A) .................................... F-12

Table 29. Network Management Technician (MOS 250N).............................................. F-12

Table 30. Automation Technician (MOS 251A)................................................................. F-13

Table 31. Radioman................................................................................................................ F-14

Table 32. Information Systems Administrator (NEC 2735) ............................................ F-14

Table 33. Network Security Vulnerability Technician (NEC2780).................................. F-15

Table 34. Information Systems Security Manager (NEC 2779)....................................... F-15

Table 35. Advanced Network Analyst (NEC 2781) .......................................................... F-15

Table 36. Navy Officer IT Subspecialties............................................................................ F-16

Table 37. Navy Officer Subspecialties – Billets vs. Inventory.......................................... F-17

Table 38. Small Computer Systems Specialist (MOS 4066).............................................. F-18

Table 39. Communications Information Systems Officer (MOS 0602)......................... F-19

Table 40. Certification Requirements of System/Network Administration &Operations ...............................................................................................................................H-2

Table 41. Certification Requirements for Threat & Vulnerability Assessment .................I-2

Table 42. Certification Requirements for CERT....................................................................J-2

Table 43. Service/Agency Costs to Implement Recommendations .................................K-1

viii

Definitions and Conventions Used in This Report

Although normally definitions are placed in an appendix, there are five terms usedthroughout this report that must be understood for accurate comprehension. For this reason,they are defined in the front of the report.

Term DefinitionFor MoreInformation

IT Workforce Includes all people, military, civilian, and contractor, inthe Department who perform functions identified in theClinger-Cohen Competencies regardless of theiroccupational specialties.

Clinger-CohenCompetencies listedin Appendix C.

IT Professional A subset of the IT workforce—includes only those people,military, civilian, and contractor, in the Department whoperform functions identified in the Clinger-CohenCompetencies and whose primary occupational specialtyis defined as an IT occupational specialty.

Clinger-CohenCompetencies listedin Appendix C.

IA Workforce Includes all people, military, civilian, and contractor, inthe Department who perform IA functions regardless oftheir occupational specialties.

IA functions listed inAppendix D.

IA Professional A subset of the IA workforce—includes only those people,military, civilian, and contractor, in the Department whoperform IA functions and whose primary occupationalspecialty is defined as an IT occupational specialty.

IA functions listedin Appendix D.

Privileged Access A special access above those privileges required for thenormal data acquisition or operation of an informationsystem. This access grants capabilities to a user,operator, administrator, maintainer, auditor, or anyother person that enable them to alter or affect theintended behavior or proper content of a system, as wellas alter or affect the capabilities or data of any otheruser of the information system.

Executive Summary

ES-1

Executive Summary

Purpose

This report presents the findings andrecommendations of the InformationAssurance (IA) and Information Technology(IT) Human Resources Integrated Process Team(IPT). The Office of the Assistant Secretary ofDefense (Command, Control, Communications,and Intelligence) and the Under Secretary ofDefense (Personnel and Readiness) jointlycommissioned the IPT in September 1998.They charged it to identify the critical IA and ITManagement skill sets in the Department ofDefense (DoD) and to recommend mechanismsthat would promote the achievement andsustainability of those skills in the Department.Forty-five people from fifteen DoD Servicesand Agencies met for the first time in lateSeptember 1998 to begin an intensive six-monthanalysis of the above tasking. Their goal was torecommend actions and policies that would leadto establishing a comprehensive and world-classhuman resources program for IA and ITManagement within the Department.The IPT looked closely at the following areas

•••• Taxonomy

•••• Occupational descriptions and career fields

•••• Certification standards

•••• Training programs

•••• Accession and retention trends

Findings

Generally, there is no Department-widerecognition of the very real and growing threatto our warfighting capability as evidenced byinadequate priority, funding, training, and focuson information assurance.The IPT’s most significant finding was that IAand IT Management personnel readiness ismore problematic than simply providingtraining opportunities and financial/career

incentives to IT professionals. Before thosestrategies can be attempted, the Departmentmust learn the demographics of its ITpopulation and know precisely what IT activitiesit is performing. Today, the Department isunable to expeditiously determine thisinformation. The reasons are many, but theprimary causes are that some people in non-ITcareer fields are performing ill-defined IAfunctions part time and that frequently civilianoccupational series are not tied directly to ITfunctions. The report indicates that this factmakes it difficult to determine precisely who hasaccess to the Department’s informationinfrastructures. Furthermore, it makes it almostimpossible to regulate training and certificationrequirements in what is basically a transientwork force. Lastly, trying to enhance careeropportunities among this unidentifiable workforce is extremely difficult.

Recommendations

The IPT therefore recommends changes to theways in which the Department manages its ITworkforce. One change takes the form ofrecognizing specific IA functions that reflectcurrent duties of the information age. Also, theIPT recommends coding IT billets and allpeople who perform IT functions in DoDpersonnel databases so that their careerprogression trends and training credits can beaccurately tracked. Lastly, the IPT suggeststying standardized training and certificationrequirements to those coded billets and peopleso that no one with privileged access toinformation infrastructures is overlooked whenit comes to critical IT preparatory andsustaining education.In four chapters and twelve appendices, the IPTreport presents a strong case that theDepartment should take preliminary steps thatwill substantially improve the way we manageour IA and IT workforce. The IPT concludesthat in three to five years after these

ES-2

recommendations are fully implemented, theDepartment will have the presently non-existentpersonnel data needed to make proper decisionsconcerning the creation of a career managementprogram for IT personnel. Supporting thisconclusion are nineteen distinctrecommendations and associated cost estimatesthat—if enacted—will vastly improve theDepartment’s IA and IT Management personnelposture.These recommendations suggest that CINCs,Services, and Agencies adopt a consistent IAterminology and standardized CertificationCriteria for certain IA functions.Recommendations further state that no one beallowed to perform these specified critical IAfunctions without benefit of prior training.The recommendations also address the need forIT Management education and call for thecreation of Advanced Distributed Learningprograms. Equally important is the reportidentifies the DoD entities responsible forimplementing each recommendation.Finally, the report concludes with animplementation timeline that recognizes themajor steps to complete the recommendationsand the schedule for doing so. Although thetimeline reflects five years for fullimplementation, the IPT believes that effectivemanagement and sufficient priority will result insubstantive incremental progress each year,beginning with the first year.

The costs to implement these recommendationsare significant in people, time, and money. Iftotally enacted, they will cost approximately$77.5 million over the next five years. However,the IPT is confident that the suggested course isa prudent one to position the Departmentappropriately in the Information Age.The risks to our information resources are wellknown and the strengths of our informationinfrastructure defenses are being tested daily.The weakest link in those defenses is not the technologybut the people who use, administer, and manage it.Ensuring that those people are adequatelyprepared for the challenge is the ultimate benefitof the IPT’s work.

Executive Summary

ES-3

Table ES- 1. Recommendations and Their Priorities

Priority 1: Recommendations that have a direct impact on substantiallyimproving the Department’s ability to protect the integrity andavailability of its information systems and networks and its ability tooperate effectively in a joint warfighting environment.

Priority 3: Recommendations that enable the Department to improve thequality of its IT workforce and maintain improvements realized as a resultof implementing Priority 1 recommendations.

Priority 2: Recommendations that enable the Department to substantiallyimprove its ability to manage its IT workforce or which provide long-termefficiencies for Priority 1 recommendations.

Priority 4: Recommendations that will provide official policy guidance tosupport the recommendations above.

If the DoD Implements… The Results Would Be… Implementation StatusRecommendation 1: Direct the OUSD (P&R) to establish the requirement that theCINCs, Services, and Agencies identify manpower and personnel assigned IT/IAfunctions, enter the required information into the appropriate databases, andmaintain these databases as changes occur. (Priority 2)

The Department’s IT and IAworkforces, both authorized billetsand positions and personnel, will beable to be systematically andcontinually identified and quantified.This capability will beinstitutionalized.

Implementation in the mode of“business-as-usual” will require aboutthree years once funding is provided.If sufficient priority is given to thisrecommendation, completion could berealized in about 18 to 24 months.

Recommendation 2: Direct the OASD (C3I) to work with the OUSD (A&T) and theOUSD (P&R), as part of the Inherently Governmental Working Group (IGWG), torevise IT function codes and develop definitions that more accurately reflect today’sIT and IA activities. (Priority 2)Recommendation 3: Direct the OASD (C3I) to draft guidance for review by theInherently Governmental Working Group to be used by the DoD Components todetermine core IT and IA requirements to minimize the risk of losing missioncapability. (Priority 2)Recommendation 4: Direct the OUSD (A&T) to consider the merits of developingand maintaining a database that shows contractor staff-years against majorfunctions, especially IT and IA. (Priority 4)

The Department will have moreaccurate information about itsgovernment and contractor mix in theIT/IA workforce. A mechanism will bein place to maintain a core capabilityin these critical functions and toassess the risk of additionaloutsourcing.

Work is being currently initiated inthese areas. By next year,information will be available to beginexamination of outsourcing issues andrisks.

Recommendation 5: Direct the ODASD (MPP) to establish a steering groupcomprised of OSD, Joint Staff, and each of the Services (including the Coast Guard)to focus on military IT personnel issues. (Priority 3)

The Department will have a forum forServices’ military IT career managersto identify and assess improvedmethods for managing their people.

Implementation could be completedwithin three months or less andcontinue as long as the shortage of ITpersonnel is a serious problem.

Recommendation 6: Direct the ODASD (CPP) to work with the ASD (C3I) to widelypublicize OPM flexibilities available to address civilian IT recruiting and retentionproblems. (Priority 2)

Local commanders and directors willhave better information on already-approved civilian personnelmanagement capabilities to improvetheir ability to recruit and retaincivilian IT professionals.

Implementation can be completedwithin three months. The use ofrecruiting bonuses and retentionallowances can be tracked on a regularbasis.

ES-4

If the DoD Implements… The Results Would Be… Implementation StatusRecommendation 7: Direct the OASD (C3I) to require the staffs of the DoD CIOs atthe GS-13 through the GS-15 levels to complete the DoD CIO Certificate Program orthe Advanced Management Program at the IRMC. Components that wish to useITM training programs other than IRMC will submit verification of equivalency tothe DCIO office to ensure training programs cover mandatory requirements of theClinger-Cohen Act and the Department’s implementation strategies. (Priority 3)Recommendation 8: Direct the OUSD (P&R) and the OASD (C3I) to issue policydirecting the Services/Agencies to implement a mandatory requirement that DoDCIOs, Deputy CIOs, and SESs and flag officers on the CIO staffs attend DoD-sponsored ITM executive sessions. (Priority 3)Recommendation 9: Direct the OUSD (Comptroller) to provide resources (personneland funding) to the IRMC to accommodate additional training requirements of theDoD ITM workforce. (Priority 3)Recommendation 10: Direct the OASD (C3I) to work with the Joint Staff and theODASD (CPP) to develop an IT contemporary issues training module for the CAP-STONE and APEX training sessions. (Priority 2)

IT training for the Department’ssenior executives (military andcivilians) and CIO staffs will meet therequirements of the Clinger-CohenAct.

CIO staff training can beginimmediately. However, funding isnecessary to accommodate additionalthroughput of students and thedevelopment of course and curricula toaddress new IT training requirements.

Recommendation 11: Direct the OASD (C3I) to officially adopt NSTISSI Number4009, National Information Systems Security (INFOSEC) Glossary, as the official IAGlossary. This requires the Defense-wide Information Assurance Program (DIAP)to formally coordinate an annex defining terminology not yet officially adopted byNSTISSI but used by the Department. (Priority 4)Recommendation 12: Direct the Joint Staff to review the defensive informationoperations requirements in the context of JV 2010 and translate these requirementsinto the Universal Joint Task List (UJTL) and the Joint Mission Essential Task List(JMETL). (Priority 4)Recommendation 13: Direct the OASD (C3I) to officially adopt the NIST SpecialPublication 800-16, Information Technology Security Training Requirements: ARole- and Performance-Based Model and the NSTISSIs as the minimum DoD IAtraining standards. (Priority 4)

The Department will have a commonIA language, a common referencepoint for joint training requirements,and a baseline IA training standard.

Adoption of the NSTISSI Glossary andtraining standards can beimplemented within three months.Development of a DoD Glossarysupplement and UJTL and JMETLmodifications can be implementedwithin six months.

Executive Summary

ES-5

If the DoD Implements… The Results Would Be… Implementation StatusRecommendation 14: Direct the OUSD (P&R) and the OASD (C3I) to establish therequirement that the CINCs, Services, and Agencies establish mandatory trainingand/or certification programs for the five “critical” IA functions, using the NSTISSCtraining standards and the IPT-developed certification requirements as theminimum requirement. In support of this, DISA shall develop baseline IA trainingcourses to meet the IA training requirements stipulated in the IPT certificationdocuments. These courses can then be used by the Services and Agencies to meetthe certification IA training requirement or enhanced by the Service and Agency tomeet its unique needs. (Priority 1)Recommendation 15: Direct the OASD (C3I) to establish the requirement that noperson assigned to a “critical” IA function at the entry level may be grantedprivileged access until the required IA training is successfully completed. (Priority1)Recommendation 17: Direct the OUSD (P&R) and the OASD (C3I), in concert withthe CINCs, Services, and Agencies, to coordinate biennial reviews of eachcertification and/or training program to ensure the currency and utility of therequirements. (Priority 3)

The Department will have increasedassurance about the reliability of theIA workforce and its ability to protectthe integrity and availability of theDepartment’s interoperable andnetworked information systems. Aninstitutionalized certification processwill replace today’s non-existentstandards, including maintaining thecurrency of the standards.

Although full implementation willrequire three to five years oncefunding is provided, substantialprogress can be achieved annually ifappropriate priority is given to theeffort.

Recommendation 16: Direct the OUSD (P&R) and the OASD (C3I) to establish therequirement that the CINCs, Services, and Agencies document these certificationprograms in full and develop the capability to readily produce detailed answersabout the status of certifications. (Priority 3)Recommendation 18: Direct the OUSD (P&R) and the OASD (C3I) to develop andestablish an Advanced Distributed Learning program, including a certificationmanagement system, for IA training and education at DISA or other appropriatelocation. The IA Advanced Distributed Learning effort will support implementationof an IA element within the Federal Center for Information Technology Excellenceproposed under PDD 63. (Priority 2)

The Department will have thecapability to maintain current IAtraining modules and deliver thistraining to the workforce in a timelyand cost-effective manner as well astrack the currency of the workforce’scertification.

Although it will take five years to fullyimplement these recommendations, bycapitalizing on similar work alreadycompleted, the requirements can beprioritized, with specific capabilitiescompleted progressively beginningwith the first year after funding isprovided.

Recommendation 19: Direct the OASD (C3I) to incorporate into the DODIR 8500.xx,Information Assurance, the requirement for contractors assigned “critical” IAfunctions to meet the same or equivalent certification and training requirements asDepartment personnel. This recommendation requires that the OUSD (A&T)provide guidance to Contracting Officers to ensure these requirements are includedin affected contracts. (Priority 1)

The Department’s IT/IA contractorswill meet the same minimum trainingand certification requirements as ourmilitary personnel and civilianemployees.

The policy can be promulgated withinsix months. All new contracts wouldmeet the requirements from the timethe policy was promulgated.Estimates are up to two years beforeall existing contracts requiringchanges are amended.

ES-6

1. The Problems

1

1. The Problems

1.1 Background

There is a growing shortage of information technology (IT) professionals worldwide. Thishas caused major competition between the private and public sectors in hiring andmaintaining skilled IT personnel to meet the rapidly expanding technological needs oforganizations. Coupled with this, there is also a growing concern regarding informationsecurity. The Department of Defense (DoD) is an information- and technology-dependentorganization. Mission accomplishment, including the ability to maintain a secure informationinfrastructure, is at great risk if the required IT professionals are not available

In May 1996, the General Accounting Office (GAO) published its report, Information Security:Computer Attacks at Department of Defense Pose Increasing Risks. This GAO report provided anexcellent summary of the growing threat to the information infrastructure of the DoD.Additional support for this situation was provided in the November 1996 Defense ScienceBoard (DSB) Report on Information Warfare – Defense.

If the findings of both the GAO and DSB reports are viewed in the context of Joint Vision(JV) 2010, the prognosis for achieving the JV 2010 goal of information superiority is bleak.Recent events and exercises such as Solar Sunrise, Eligible Receiver, and Evident Surpriseconfirm these findings. Further, since the GAO publication, the DoD continues to sustainspecific documented attacks to its information infrastructure, again adding credence to thereport’s findings: The Department’s warfighting capability and the security of its supporting informationinfrastructure are at great risk. Fixing the problem requires commitment at all levels ofmanagement and leadership to:

•••• Ensure complete understanding, throughout the Department, of the issues andattendant risks to mission accomplishment.

•••• Revise and establish policies that reflect the information technology environment oftoday and tomorrow.

•••• Mandate minimum standards and continuous risk assessment for the protection,integrity, and availability of the Department’s information infrastructure.

•••• Provide resources, both dollars and people, to maintain an acceptable level of risk inprotecting the integrity and availability of DoD information systems.

1.2 Goals of the IT/IA Human Resources Integrated Process Team

The Assistant Secretary of Defense (Command, Control, Communications, and Intelligence)(ASD (C3I)) and the Under Secretary of Defense (Personnel and Readiness) (USD (P&R)),responding to tasking from the Deputy Secretary of Defense (DEPSECDEF), established anInformation Technology (IT)/Information Assurance (IA) Human Resources Integrated

2

Process Team (IPT) on September 22, 1998, to address the human resources issues raised inthe GAO report as well as in subsequent reports by the DoD Inspector General (DoDIG),DSB, and internal studies on the Department’s information infrastructure. The goals of theIPT were to recommend actions and policies that would:

•••• Identify critical IA and information technology management (ITM) knowledge andskills.

•••• Create mechanism(s) to assess and certify individual competencies.

•••• Establish well-defined occupational descriptions and career fields.

•••• Monitor accession and retention trends.

•••• Develop and implement training programs.

•••• Identify barriers to implementation.

The IPT was established under the Office of the Secretary of Defense (OSD) leadership of:

•••• Kenneth Scheflen, Director, Defense Manpower Data Center;

•••• Richard Schaeffer, Director, Information Assurance; and

•••• Kim Corthell, Director, Information Policy.

The IPT was organized into three subgroups with membership from the Services andAgencies as shown in Table 1.

Table 1. IPT Organization

InformationAssurance

InformationTechnology

ManagementPersonnel

Policy

Membership

DIA

NSA

Army

Navy

Air Force

DISA

Marine CorpsOSD (P&R) (C3I)

(IG) (A&T)

Joint Staff

DFAS

DSS

DLA

WHS

NIMA

BMDO

OSD originally allotted the IPT 120 days to complete its work. However, given thecomplexity of the assignment and the Department’s inability to readily provide the team withneeded foundation data about existing IT and IA human resources, the IPT required anextra 60 days.

1.3 Overview of Problems and Issues

The current problems in the Department’s IT and IA human resources management mustbe understood in the dynamically changing technological, economic, and environmentalcontext. It is clear that our IT/IA human resources management increasingly lagged behind

1. The Problems

3

the rapid expansion of and technological growth in information systems, especially withrespect to the Department’s overwhelming dependence on information technology. The IPTfocused on problems and issues in (1) workforce management and (2) IT and IA trainingand certification. These are briefly described in the next sections.

1.3.1 Workforce Management

The promise of streamlined operations and improved efficiency often resulted in projectedpersonnel savings being taken simultaneously with the technology procurements during thebudget process. At the outset of the information technology revolution, Servicecommanders and Agency leaders used their local budget authority to purchase additionalsystems without understanding the human resource implications. They routinely decreasedtheir human resource requirements to justify their technical procurements, basing thesedecreases on the promise of streamlined operations and improved efficiency resulting fromthe new technologies. Although the information systems acquisition process is much betterunderstood and managed today, the Agencies and Services have not been able to address theresulting human resource shortages to manage and protect our existing information systems.In an effort to address this shortfall, leaders across the DoD, have relied on the self-taughtcomputer “hobbyist” to fill the gap.

The Office of Personnel Management (OPM) authorized specific flexibilities for civilianpersonnel to help address the government-wide recruiting and retention problems facingmanagers. Few of these flexibilities are being used within the Department. Furtherexacerbating the IT workforce problems are DoD initiatives such as the recent majordownsizing of our military and civilian workforces and the increased emphasis onoutsourcing. Such initiatives tend to mask the supply problem in the Department.

When the situation is viewed in a broader context, the complexities of solving the problemare evident. Shortages in the supply of IT professionals are not confined to the DoD—theyexist for other federal agencies and nationally in the private sector. Recruiting is difficultwhen colleges and universities are only producing enough IT graduates to fill half of thegrowing annual requirement. Several U.S. companies have begun recruiting foreign nationalsto fill their IT jobs. Under the H-1B non-immigrant category of U.S. immigration law, U.S.employers may sponsor 65,000 professional foreign nationals each year. These workersmust have a professional undergraduate degree or substantial work experience and may workin the United States for six years. This was just one congressional effort to try to narrow thegap. The turnover rate among IT professionals in the private sector is 30%, five times therate for the private sector as a whole. Interviews with thirteen DoD IT contractors providedinformation on private sector IT recruiting and retention techniques. See Appendix A of asummary list of “best practices” in the private sector to combat the very real recruiting andretention issues.

The Department’s ability to compete with the private sector in the area of compensation islimited by personnel practices and guidelines. It is also limited by law in the case of militarypersonnel. The private sector can react quickly to any substantive compensation changemade in the government. However, more extensive use should be made of the documentissued by OPM, Recruiting and Retaining Information Technology Professionals, to acquire andmaintain a stable civilian workforce of IT professionals within the Department. See

4

Appendix B for a copy of this OPM report. To acquire and maintain military ITprofessionals, the Services are currently using and expanding the use of enlistment andreenlistment incentives and bonuses for enlisted personnel.

1.3.2 IT and IA Training and Certification

The level and content of training in the Department varies. In some areas there arecomprehensive training programs available for all DoD personnel such as the DoD ChiefInformation Office-sponsored programs at the National Defense University (NDU).Unfortunately, the Department does not take full advantage of these programs. In othercases, such as information assurance, training has been either unavailable or too expensivefor some of the IA workforce. As a result, the level of training for our IT/IA workforce isuneven at best. The training content varies across the Department. This is a potentiallyserious threat to the Department’s joint warfighting capability. Aside from those Agencieswith technical missions, there are few career management programs (with management beingthe operative word) for the Department’s civilian IT professionals.

1.4 Data Collection and Analysis.

The IPT’s early attempts to identify and quantify Department personnel assigned IT and IAfunctions ran into a number of significant—and enduring—barriers. The IPT’s experienceswarranted a separate section documenting the problems as they pertain to collecting data onthe subject of this report. We start first with discussing briefly the standard approach toevaluating workforce management, our efforts at evaluating, and then the modifications and“work-arounds” necessary to obtain, at the minimum, qualitative data and anecdotalevidence.

1.4.1 The Approach

The generally accepted methodology used to evaluate workforce management is to (1) definethe functions performed by the workforce; (2) identify the requirements, authorized billetsand positions, and personnel assigned those functions; (3) analyze the career structure andpersonnel issues such as accessions, retention, relative compensation (including benefits),career growth potential; (4) evaluate the effectiveness of the career management programs;and (5) recommend improvements.

In defining the functions performed by DoD IT/IA executives and personnel, the IPT usedthe Federally adopted Clinger-Cohen Competencies (listed in Appendix C) to define thefunctions of the IT workforce as a whole. The IA functions, although in existence, had notbeen codified or defined; therefore, the IPT identified a set of eleven functions (listed inAppendix D) that encompass all the IA functions currently performed in the Department.From the list of eleven functions, the IPT further defined five of these functions as“critical,” requiring privileged access. Privileged access is defined to be a special accessabove those privileges required for the normal data acquisition or operation of aninformation system. This access grants capabilities to a user, operator, administrator,maintainer, auditor, or any other person that would enable them to alter or affect the

1. The Problems

5

intended behavior or proper content of a system as well as the capabilities or data of anyother user of the information system. The first step of the IPT study was accomplished.

1.4.2 Personnel Classification Systems

The next step was to identify requirements, authorized billets and positions, and personnelassigned to IT/IA functions. The DoD personnel classification systems and personnelassignment systems contributed to the IPT’s difficulty in clearly defining the IT workforce.

(1) The military Services have specific military IT occupational specialties which haveundergone intensive Service review and restructuring in the past three years.Personnel in these IT occupational specialties are managed as IT professionals.Accessions, retention, career development and progression, job assignments, andeducation and training are all major components of the centralized Servicemanagement of these 50,000 IT professionals. The management of thisworkforce is further discussed in Section 2.2.1.

(2) The military Services assign other military personnel who are not in specificmilitary IT occupational specialties to IT functions. Possible reasons for thissituation include:

•••• There are insufficient authorized IT billets and therefore insufficient ITpersonnel.

•••• There are authorized IT billets but insufficient IT personnel to fill these billets.

• Non-IT occupational specialties (e.g., finance, base supply, medical,maintenance) where the non-IT functional expertise is required, but IT skillsare also required.

Identifying and quantifying these people is not a current or planned capability ofthe military Services.

(3) There are five civilian occupational series that few people would dispute as beingIT occupational specialties:

• GS-332 – Computer Operator

• GS-334 – Computer Specialist

• GS-335 – Computer Clerk/Assistant

• GS-854 – Computer Engineer

• GS-1550 – Computer Scientist

In March 1997, there were 34,000 people in these occupational specialties (notcounting the National Security Agency (NSA), the Defense Intelligence Agency

6

(DIA), and the National Imaging and Mapping Agency (NIMA)). While there arecentralized career programs for positions that can be categorized as IT positions,civilian assignments to these positions are not centrally managed as are militaryassignments. In certain functional areas including information management, theMilitary Departments manage some of their grade 12 and above civilians centrally.However, these programs do not encompass all of those involved in informationtechnology and information assurance functions.

(4) There are additional civilians who are considered to be IT professionals because oftheir training, education, job experience, and assigned functions. However, thesepeople are in a variety of occupational series. Identifying and quantifying the ITprofessionals in these series is not a current or planned capability of the Servicesor Agencies.

•••• There are insufficient authorized IT positions and therefore insufficient ITpersonnel.

•••• There are authorized IT positions but insufficient IT personnel to fill thesepositions.

• There are additional civilians who would not be considered IT professionals(i.e., they do not fit into either of the above two categories) but are assigned ITfunctions.

This group is similar to item (2) for the military personnel.

Identifying and quantifying these people is not a current or planned capability ofthe Services or Agencies.

(5) Finally, there are the contractors who perform IT functions as IT professionals forthe Department under contract. The full-time equivalent staff-years in thiscategory are unknown because there is no mechanism in place to collect contractorstaff-years by function.

1.4.3 Personnel Management Systems

Military and civilian personnel in general terms are managed very differently.

•••• The military personnel system is essentially a closed system whereby people enter theService at the entry level and are promoted, over time, to higher levels. The civilianpersonnel system is an open system, whereby people can enter at whatever level forwhich they qualify based on education and experience.

•••• Military personnel have little choice in job assignment and/or duty location. Theneeds of the Service dictate both of these. Civilian personnel can choose bothspecific jobs and duty location.

•••• The Services are given wide latitude in establishing occupational career fields.Civilians’ occupational series are governed by those series established and defined byOPM.

1. The Problems

7

It is not reasonable to expect the Services or Agencies to manage a workforce that cannot beidentified or quantified. The 50,000 military IT professionals discussed in item (1) can beand are managed. The 34,000 civilian IT professionals addressed in item (3) are only a part ofthe civilian IT professional workforce. Without the ability to identify the civilians who arepart of item (4), it is difficult to impossible to identify possible improvements to ourmanagement systems.

Analyzing management options for those military and civilian personnel addressed in items(2) and (5) requires knowledge of the identity and quantity of people in these categories.Otherwise, it is not possible to estimate the dollar or management impact of any proposedchanges. Currently there is insufficient data available that would allow the Department tocalculate what percentage of its IT workload is accomplished by contractors and whatpercentage is accomplished by our military personnel and civilian employees.

1.4.4 Data Call

For all of the reasons cited in the previous sections, we cannot quantify or document ourDepartment’s IT recruiting or retention problems. We cannot project training and educationrequirements or costs for the civilian IT professional workforce nor can we project costs forcompensation proposals.

In an effort to learn more about the IT workforce, the IPT elected to focus on the IAfunctions since these functions—if not performed properly—directly affect the security ofour infrastructure. To quantify the characteristics of the IA workforce, the IPT completed adata call among the Services and Agencies. The IPT’s original intent was to:

•••• Size the IA workforce;

•••• Quantify what percentage of the IA workforce was in other than IT occupationalspecialties;

•••• Quantify what percentage of the IA workforce had no formal training;

•••• Identify the occupational specialties being used to perform IA functions; and

•••• Quantify the workforce size by IA function.

This data call process is described in detail in Appendix E. Although data collected througha data call reflects only a single point in time, the IPT did learn some important facts fromthe conduct of the data call and the analysis of the data.

•••• Collecting data at the unit level (bottom up) is a time-consuming and problematicprocess. It took approximately two months to get approval for the data call and,after an additional five months, the response rate was well under 25%, making itdifficult to make statistically reliable projections for the Department.

•••• Prior anecdotal information that a sizable percentage of the IA workforce were notIA professionals was confirmed by the data call.

•••• Prior anecdotal information that a sizable percentage of the IA workforce receivedlittle more than on-the-job training was confirmed by the data call.

8

2. Workforce Management

9


2.1 Findings and Recommendations

2.1.1 Finding: The CINCs, Services, and Agencies lack necessary capabilities toadequately manage the IT workforce as a whole, and the IA workforce inparticular.

Recommendation 1: Direct the OUSD (P&R) to establish the requirement that theCINCs, Services, and Agencies identify manpower and personnel assigned IT/IAfunctions, enter the required information into the appropriate databases, and maintainthese databases as changes occur. (A review is currently being conducted by the Officeof Personnel Management (OPM) of IT workforce functions to more accurately define,classify, and track IT positions and personnel. During the execution ofRecommendation 1, the results of the OPM efforts can be incorporated since it will alsorequire the identification and review of IT functions, positions, and personnel.)

This includes military, both active and Reserve components, and civilians. Modifications toexisting manpower and personnel databases, as well as changes to Service/Agency directives,will be required. (Appendix G outlines the coding requirements.)

2.1.2 Finding: The current trend towards outsourcing IT and IA functions raisesconcerns regarding potential risks to our mission.

Recommendation 2: Direct the OASD (C3I) to work with the OUSD (A&T) and theOUSD (P&R), as part of the Inherently Governmental Working Group (IGWG), torevise IT function codes and develop definitions that more accurately reflect today’s ITand IA activities.

The function codes and definitions will be used by the DoD Components during the nextannual Inherently Governmental and Commercial Activities Inventory.

Recommendation 3: Direct the OASD (C3I) to draft guidance for review by theInherently Governmental Working Group to be used by the DoD Components todetermine core IT and IA requirements to minimize the risk of losing mission capability.

Once this core requirement has been defined and quantified, take steps to ensure that thiscapability is protected from outsourcing.

Recommendation 4: Direct the OUSD (A&T) to consider the merits of developing andmaintaining a database that shows contractor staff-years against major functions,especially IT and IA.

10

2.1.3 Finding: Each of the Services is increasingly challenged in its retention ofexperienced military IT personnel.

Recommendation 5: Direct the ODASD (MPP) to establish a steering group comprisedof OSD, Joint Staff, and each of the Services (including the Coast Guard) to focus onmilitary IT personnel issues.

2.1.4 Finding: The civilian personnel management and compensation flexibilitiesauthorized by the Office of Personnel Management are not beingaggressively pursued by organizations plagued with IT shortages.

Recommendation 6: Direct the ODASD (CPP) to work with the ASD (C3I) to widelypublicize OPM flexibilities available to address civilian IT recruiting and retentionproblems.

2.2 Discussion and Analysis

It is clear that if the Department is to develop and maintain a world-class IT workforce, itmust first be able to systematically and continually identify and quantify its IT workforcerequirements and its existing IT workforce. This capability must be institutionalized withinthe Department. Existing manpower and personnel databases must be modified to providethis capability. In the meantime, there are several steps the Department can take to addressIT workforce issues. The Department should ensure that there is a broad understanding ofwhat capabilities already exist to address recruiting and retention problems for the civilian ITworkforce. The Services should continue to aggressively manage their military IToccupational specialties. The Department should rethink its outsourcing policies in IT andbegin by changing the IT functional definitions in the Inherently Governmental andCommercial Activities Inventory and providing guidance regarding the maintenance of acore capability.

2.2.1 Military IT Occupational Specialties

Each of the Services has established military IT occupational specialties. DoD-wide, thesespecialties number approximately 11,000 officers and 38,000 enlisted. These occupationalspecialties are actively managed by the Services, and there are personnel policies in place togovern the IT professionals. Overall, the Services are meeting end-strength requirementsbut are increasingly challenged to retain personnel in the IT career specialties. Whileretention of military personnel in general is currently a concern in the Department, there aresome IT-specific occupational specialties, particularly within the Air Force and MarineCorps, where retention has not met expectations and is a concern. Reasons cited forpersonnel leaving the military include private sector opportunities, PERSTEMPO/OPTEMPO, and, in some cases, career progression limitations.

Each of the Services has implemented actions to boost retention. These incentives includeoffering selective reenlistment bonuses, adjusting career fields to improve career progressionopportunities, increasing emphasis on continuing education tied to increased Servicecommitments, and providing commercial certification, again tied to increased Service


11

commitments. Additionally the Services are increasingly allowing those personnel notselected for advancement to stay in the military past traditional separation gates.

The Services are also encouraging personnel to laterally convert from other specialties intoIT specialties and recruiting personnel with prior service experience, subject to specificguidelines, to assist in meeting end-strength requirements.

Each Service is closely monitoring and managing its accession programs to meet end-strength requirements. The Services use computer models that identify specific skillrequirements. In some cases, the Services are increasing accessions of personnel into ITspecialties to build a larger base population of IT specialties. In other cases, enlistmentbonuses are being used to attract personnel into the IT specialties.

Each of the Services changed its officer and enlisted IT career fields in the last three years.These changes include merging specialties, reshaping assignments, improving careerprogression opportunities, and redefining training requirements and progression, resulting inan improved comprehensive career management plan. The effects of these changes on theoverall IT retention effort cannot be assessed at this time. Detailed information on thesecareer fields is available in Appendix F.

While the Services have recognized the problems in retaining experienced military ITprofessionals and are taking actions to address the problems, many of the approaches arenot being shared among the Services. Furthermore, given the long-term situation in theprivate sector, the Services’ retention challenges are not likely to disappear soon. Therecommendation to establish an OSD-sponsored steering group would serve to:

•••• Foster a mutual exchange of information on accession/retention programs related tothe military IT professionals,

•••• Provide a venue for developing new approaches (e.g., commercial certificationincentives in exchange for additional service commitments),

•••• Focus budgeting strategies (e.g., Selective Reenlistment Bonuses (SRBs), enlistmentbonuses), and

•••• Develop long-term military IT personnel strategies.

2.2.2 Outsourcing

We have not had the opportunity to define the functions that are inherently governmental.Given the new awareness of asymmetric threats, we need to analyze more carefully the risksassociated with using the non-federal workforce to perform functions that are key to oursuccess on the battlefield. Some of these functions require dealing with very complexproducts whose very nature makes it easy to disguise flaws. It is critical that we constructour management approach to minimize our vulnerability to these hidden risks. TheDepartment must ensure that some level of core IT and IA capability is maintained or, as aminimum, understand the risks—and their consequences— of losing this core capability.

The IPT was unable to find a data source to identify the number of contractor staff-yearscurrently used in the Department for IT functions. However, using data collected through

12

the Inherently Governmental and Commercial Activities Inventory Report, the Services andAgencies reported an inventory of almost 101,000 authorized military and civilians for ITfunctions. Since this Inventory Report does not define its functional categories, the IPTidentified those categories in the Inventory Report that best matched the IT functions listedin the Clinger-Cohen competencies.

Out of the inventory identified as IT functions, the Services and Agencies identified almost29% as subject to review for outsourcing. We know that a substantial part of the ITworkload is already assigned to contractors. This means that the potential government’sshare of the government-contractor split is much less than 70%. What that share should beis a subject of concern, an issue that should be examined sooner, rather than later. TheDepartment must assess the potential risks of losing our in-house capability and take steps toprotect a core capability.

Currently, there is inadequate information available regarding contractor work-years used forIT functions. To fulfill a congressional reporting requirement, each year the OUSD (A&T)collects information describing the contractor work-years that support certain high-levelfunctions. Labor expended to support purely IT functions is categorized as such at a generallevel, but the classification system does not allow visibility into the IT support provided tothe line functions such as health services, depot repair, and so forth.

2.2.3 Civilian IT Personnel Management

Although civilian IT shortages cannot be documented at the Department level, IT recruitingand retention difficulties are being experienced at the local levels within the Department.Statistics are available that document the use of recruiting bonuses and retention allowancessince FY 1997 (Table 2).

Table 2. Incentives – FY1997 Through March 1999

FYIT Employees GivenRecruiting Bonuses

IT Employees GivenRetention Allowances

97 24 138

98 52 161

99(through Mar 99) 25 166

While pay is not the sole incentive for recruitment and retention, it is a factor in thedecision-making process. The Department should begin an aggressive campaign to educatethe Services and Agencies regarding both compensation and non-compensation flexibilitiesavailable.

3. Training and Certification

13


3.1 IT Management Training: Findings and Recommendations

3.1.1 Finding: The IT educational programs offered by the Information ResourcesManagement College (IRMC), a part of the National Defense University(NDU), are not being fully utilized by the Department to educate and trainIT management professionals or functional personnel with informationtechnology management responsibilities.

Recommendation 7: Direct the OASD (C3I) to require the staffs of the DoD CIOs atthe GS-13 through the GS-15 levels to complete the DoD CIO Certificate Program orthe Advanced Management Program at the IRMC. Components that wish to use ITMtraining programs other than IRMC will submit verification of equivalency to the DCIOoffice to ensure training programs cover mandatory requirements of the Clinger-CohenAct and the Department’s implementation strategies.

Recommendation 8: Direct the OUSD (P&R) and the OASD (C3I) to issue policydirecting the Services/Agencies to implement a mandatory requirement that DoD CIOs,Deputy CIOs, and SESs and flag officers on the CIO staffs attend DoD-sponsored ITMexecutive sessions.

Recommendation 9: Direct the OUSD (Comptroller) to provide resources (personneland funding) to the IRMC to accommodate additional training requirements of the DoDITM workforce.

Funds will be used to execute (1) education and training initiatives outlined in this document;(2) the conversion of classroom courses to distance learning to meet the increase inthroughput of students; and (3) the development of new ITM education and trainingrequirements (e.g., development of IA Certificate Program for managers).

3.1.2 Finding: DoD does not have a method to continuously educate and train itssenior executives, military or civilian, to ensure they are equipped with thenecessary knowledge and skills to make effective decisions that impact ITinitiatives within their mission areas.

Recommendation 10: Direct the OASD (C3I) to work with the Joint Staff and theODASD (CPP) to develop an IT contemporary issues training module for the CAP-STONE and APEX training sessions.

3.2 IT Management Training: Discussion and Analysis

The IT workforce is assigned such a wide range of functions that to evaluate IT training inthe time frame available would have been an insurmountable task. Rather, the IPT

14

examined, in general, the existence of IT training in the Department for both the ITprofessional and the general user. The objective of this review was to identify major gaps inavailable IT training. Because of the risk to the Department’s computer securityinfrastructure, the primary focus of a detailed examination of IT training was on informationassurance, addressed in Section 3.3. IT training, because of the pervasiveness of thetechnology and the interoperability of systems and networks, is needed by everyone, at leastto some degree. The IPT found IT training coverage existed as follows:

•••• Skill training for the military IT workforce in IT occupational career fields isgenerally recognized as meeting the needs of the Services.

•••• Graduate education in the IT field exists both in-house and at colleges anduniversities around the country, and is used extensively by the Services and Agenciesfor both military and civilian IT professionals.

•••• The Services have either already incorporated, or are in the process of doing so,basic IT training and awareness into accession programs for military personnel, suchas Reserved Officer Training Corps (ROTC), Officer Candidate School (OCS),Service Academies, and initial skill training courses for non-IT occupationalspecialties.

The Department spends nearly 1% of its civilian payroll budget on civilian training, whichequates to approximately $750 per person annually. We have no way of determining howmuch of the expenditure is IT related. However, due to the increase in the use ofinformation technology, training in information technology management should be a priorityto maintain skilled personnel to carry out the mission critical functions of the Department.In the private sector, those successful IT organizations with the highest training expendituresmeasure training investments as a percentage of total payroll. One company, withsignificant expenditures per employee, spends 15.3% of its payroll on training. Incomparison with the private sector, the Department’s 1% does not seem sufficient.

Because of the rapid advances in IT, training must be viewed as a continuum designed tomaintain a knowledge and skill base that is highly perishable—it is not a one-time careerevent. This training continuum is critical to sustaining information superiority. Studies andreviews have proven that most system failures result from poor program management andoversight rather than technical problems. Functional managers, sponsors, program andproject managers must be skilled enough to strategically plan projects successfully and usemanagement controls that are available to assist in directing information technologyinitiatives. Section 5125(c )(3) of the Clinger-Cohen Act recognizes the importance of theseskills. This act directs federal agencies to define core skill requirements and design programsto rectify deficiencies accordingly.

To meet these requirements, the Federal Chief Information Officer Council approved theClinger-Cohen Core Competencies to:

•••• Serve as the federal “requirements established” for personnel,

•••• Be used as a baseline to assess the skill and knowledge requirements of employees,

•••• Serve as a tool in human resource planning and management, and


15

•••• Serve as a baseline to determine required course and curriculum trainingrequirements in the information resources management field.

•••• The recommendations in this report are consistent with the requirements of theClinger-Cohen Act.

The Secretary of Defense named the Information Resources Management College (IRMC)as the primary source of education to meet the training needs of DoD CIOs, executives, andsenior-level managers, as required by the Clinger-Cohen Act. Essentially, these programs areencouraged; however, few incentives exist to take full advantage of them.

The DoD CIO also sponsors annual DoD CIO Executive Training Sessions at the IRMCthat focus on current critical issues and initiatives in IT. The sessions are intended toprovide an awareness of emerging management strategies to address these issues withinDoD and private sectors. These sessions are designed for DoD CIOs, Deputy CIOs, andother senior executives. DoD underutilizes these sessions while the other federal agencieshave responded overwhelmingly.

If, in the future, the Department decides that a centralized career management program forIT professionals is required, all IT training should be examined. This review should assesshow training should be used throughout the IT professional’s career and determine thesufficiency and adequacy of the training content and availability. In the meantime, theIRMC Certificate Program should be required for all IT professionals assigned to CIO staffsat the GS-13 level and above. Also, DoD CIOs, Deputy CIOs, and Senior ExecutiveService (SES) personnel on the CIO staffs should be required to attend annual DoD-sponsored Executive Sessions. To accommodate the increase in throughput of students,additional resources (personnel and funds) must be allocated to the IRMC.

The most important segment of the Department’s workforce that requires IT awarenesstraining is the senior leadership: flag and general officers and the SES. These are theindividuals who shape the priorities and make decisions that impact IT initiatives within theirmission areas. Not knowing the capabilities, limitations, or regulatory requirementsregarding IT initiatives puts the Department at risk for additional problems. TheDepartment must ensure that adequate skills, knowledge, and awareness of IT are woventhroughout the organization and not just at the IT functional levels. We must seize everyopportunity to ensure that the Department’s decision makers are briefed, trained, andeducated to heighten the IT skill and knowledge capabilities at all levels. Accordingly, theIPT reviewed the CAPSTONE and APEX Programs to ensure key critical competency areasof information technology were addressed.

All general and flag officers are required to attend the six-week CAPSTONE Program at theNational Defense University within two years of promotion to general or flag rank.Although there is a substantial portion of the curriculum dedicated to C4I subject areas, theemphasis is on intelligence and information warfare. There is no realistic method to ensurethat the high profile, contemporary IT issues are presented to this group within the currentcurriculum. Currently, OSD senior executives in acquisition, public affairs, and ReserveAffairs each spend approximately 1.25 hours addressing the CAPSTONE students on the“hot” topics in these areas. If each of these three speakers gave up 15 minutes of the

16

allotted time, 45 minutes would be available for the ASD (C3I) to present the “hot” topics inIT.

The IPT also found that all newly appointed SES members (career and non-career) arerequired to attend the two-week APEX course. The current curriculum provides no trainingin contemporary IT issues. These Senior Executives need this training. The APEX courseshould allocate 45 minutes for the ASD (C3I) to present the “hot” topics in IT.

3.3 IA Training: Findings and Conclusions

3.3.1 Finding: JV 2010 requirements for information superiority, coupled withthe Department’s interoperable systems and networks, demand a commonlanguage and common baseline of training requirements.

Recommendation 11: Direct the OASD (C3I) to officially adopt NSTISSI Number4009, National Information Systems Security (INFOSEC) Glossary, as the official IA Glossary.This requires the Defense-wide Information Assurance Program (DIAP) to formallycoordinate an annex defining terminology not yet officially adopted by NSTISSI butused by the Department.

Recommendation 12: Direct the Joint Staff to review the defensive informationoperations requirements in the context of JV 2010 and translate these requirements intothe Universal Joint Task List (UJTL) and the Joint Mission Essential Task List (JMETL).

3.3.2 Finding: The “critical” IA functions, namely those that require privilegedaccess, should not be assigned to the computer “hobbyist” with minimal tono formal training.

Recommendation 13: Direct the OASD (C3I) to officially adopt the NIST SpecialPublication 800-16, Information Technology Security Training Requirements: A Role- andPerformance-Based Model and the NSTISSIs as the minimum DoD IA training standards.

Recommendation 14: Direct the OUSD (P&R) and the OASD (C3I) to establish therequirement that the CINCs, Services, and Agencies establish mandatory training and/orcertification programs for the five “critical” IA functions, using the NSTISSC trainingstandards and the IPT-developed certification requirements as the minimumrequirement. In support of this, DISA shall develop baseline IA training courses to meetthe IA training requirements stipulated in the IPT certification documents. Thesecourses can then be used by the Services and Agencies to meet the certification IAtraining requirement or enhanced by the Service and Agency to meet its unique needs.


17

Recommendation 15: Direct the OASD (C3I) to establish the requirement that noperson assigned to a “critical” IA function at the entry level may be granted privilegedaccess until the required IA training is successfully completed.

Recommendation 16: Direct the OUSD (P&R) and the OASD (C3I) to establish therequirement that the CINCs, Services, and Agencies document these certificationprograms in full and develop the capability to readily produce detailed answers about thestatus of certifications.

Recommendation 17: Direct the OUSD (P&R) and the OASD (C3I), in concert withthe CINCs, Services, and Agencies, to coordinate biennial reviews of each certificationand/or training program to ensure the currency and utility of the requirements.

3.3.3 Finding: For the most part, IA training is currently provided in aconventional classroom situation.

Recommendation 18: Direct the OUSD (P&R) and the OASD (C3I) to develop andestablish an Advanced Distributed Learning program, including a certificationmanagement system, for IA training and education at DISA or other appropriatelocation. The IA Advanced Distributed Learning effort will support implementation ofan IA element within the Federal Center for Information Technology Excellenceproposed under PDD 63.

This effort must be fully integrated with the manpower, personnel, and training systems ofthe warfighter. The appropriate DoD, Guard and Reserve Components, and the nation’sacademic and training communities must be engaged in this effort. A specific programelement should be established to fund development and implementation of this effort.Provisions must be included in the design of this system to ensure availability for our sea-going personnel. Web access is not always available for these personnel.

3.3.4 Finding: With an increasing contractor IA workforce, it is important toensure that this segment of our workforce does not become the weak link inprotecting our information systems. The Department must ensure thatcontractors are subject to the same training and certification requirementsas its own personnel.

Recommendation 19: Direct the OASD (C3I) to incorporate into the DODD 8500.xx,Information Assurance, the requirement for contractors assigned “critical” IA functions tomeet the same or equivalent certification and training requirements as Departmentpersonnel. This recommendation requires that the OUSD (A&T) provide guidance toContracting Officers to ensure these requirements are included in affected contracts.

3.4 IA Training: Discussion and Analysis

Information superiority in the Department depends on a properly trained IA workforce.Because of the rapid advances in IT, training must be viewed as a continuum designed tomaintain a knowledge and skill base that is highly perishable; it is not a one-time careerevent. This training continuum is critical to sustaining information superiority as required byJV 2010.

18

The Department’s joint warfighting capability in the information age is extremely vulnerabledue to the interconnectedness of its information infrastructures. The integrity andavailability of our network is critical to ensuring and sustaining information superiority. Ourvulnerabilities include:

•••• Lack of a common IA “language” even among the IA professionals.

•••• Lack of common training standards.

•••• Lack of assurance that the Department’s IA workforce, particularly those withprivileged access, are held to some minimal training requirements before being giventhe “keys to the kingdom.”

•••• Lack of a consistent capability of Services and Agencies to provide initial skilltraining to all members of the IA workforce, much less continuing training tomaintain currency with the rapidly changing technology.

•••• Difficulty of maintaining currency of training curricula.

The next step, after identifying training gaps, would normally be to determine trainingshortfalls. Although the IPT could identify training capacities, it could not identify trainingrequired, again because there is no mechanism in place to identify the workforce.

3.4.1 Training and Certification

Implementation of JV 2010 demands information superiority and a joint warfightingcapability in a highly networked environment. Existing training standards have the potentialto render information systems vulnerable from the uneven skills and abilities of thoseworkers who require critical IA skills. The Department must ensure that training standardsare consistent across Services and Agencies, particularly in the skills required to protect theavailability and integrity of our information systems.

Although JV 2010 and the Concept for Future Joint Operations both clearly identify theneed for information superiority, the concept of information superiority is relatively new. Thereare ongoing efforts to define information superiority in terms of mission accomplishment.The documents used by the warfighter include the UJTL and the JMETL.

A review of these documents reveals that the current focus is almost exclusively on offensiveinformation operations. Although the JV 2010 and the Concept for Future Joint Operationsaddress the requirement for DoD-wide “information system/protect skills” or defensiveinformation operations, this requirement has yet to be translated into a UJTL or JMETLrequirement. If the warfighter is to recognize the critical importance to mission capabilityand readiness, the requirement must be clearly delineated in those documents of importanceto the warfighter—the UJTL and JMETL.

Services and Agencies provided a list of current IA training. IPT analysis of this informationshowed the following:

•••• All Services and NSA, DIA, and DISA provide a full range of IA training courses totheir system and network administrators. Some of these courses are vendor


19

provided, some are computer based; some are mobile; most are in a fixed location ina classroom.

•••• All Services and NSA, DIA, DISA and Defense Logistics Agency (DLA) provide IAtraining for Information System Security Managers (ISSMs) and Information SystemSecurity Officers (ISSOs).

•••• Only the Army offered a formal training course for Computer Emergency ResponseTeams (CERT).

•••• The Air Force provides formal in-house CERT training to members of the AirForce CERT and its quick-reaction teams, separate from its official resident trainingprograms.

•••• DISA is developing a computer-based CERT course targeting managers. Once thismanagers’ course is completed, a technical CERT training course is scheduled fordevelopment.

•••• No formal training is currently available for individuals on Red Teams or whoprovide vulnerability or threat assessments. NSA has related vulnerability and threatassessment courses but from an offensive, rather than defensive, perspective. TheDefense Information Systems Agency (DISA) is developing a hands-on exercise,using computer-based training (CBT), to teach systems administrators and managerstechniques to reduce threat and vulnerabilities to their information systems.

As efforts proceeded to develop certification and training requirements, it was clear thatthere was not a common IA language, even among the IA functional experts. Without sucha common language, time must be devoted to develop and agree on definitions before IAissues can be resolved. This lack of common terminology can have devastatingconsequences for a joint warfighting effort. The Department participates in thedevelopment of NSTISSI Number 4009, National Information Systems Security (INFOSEC)Glossary. The Department should formally adopt this document; the DIAP shouldcoordinate with NSTISSI on the development, maintenance, and publishing of an annex toNSTISSI Number 4009 for DoD IA terminology not yet adopted by NSTISSI; and theDIAP should ensure that subordinate documents are consistent with these two documents.

The IPT focused its IA training efforts on five “critical” IA functions because thesefunctions entail the highest risk:

•••• System/Network Administration and Operations

•••• Computer/Network Crime

•••• Threat and Vulnerability Assessment

•••• Computer Emergency Response Team (CERT)

•••• Web Security

This does not mean that remaining functions do not carry a level of risk in the performanceof the functions. It does mean that the “critical” functions pose a significantly greater levelof risk because of the privileged access. Since the people assigned to these functions aregiven the “keys to the kingdom,” they are the ones that should be the most capable of

20

protecting the availability and integrity of our information systems, thereby ensuring ourinformation superiority. These same people can put our information systems into a highlyvulnerable state, either deliberately, or more likely, inadvertently because they are notproperly trained. If the Department is serious about information superiority, it must beequally serious about the high standards it sets for these IA personnel. Technology helpsthem do the job, but training keeps them prepared to use the existing and emerging tools oftechnology effectively and appropriately.

It is essential that these certification requirements are consistent, equivalent, and transferableacross Services and Agencies. In a joint environment, the Department cannot afford to giveits warfighters anything less. In this regard, DISA should be tasked to develop baseline IAtraining to meet recommended certification training requirements across the Department.CINCs, Services, and Agencies can then use these baselines when determining their Title 10training requirements.

Training alone was not considered a sufficient criterion to optimize the security of ourinformation systems. Instead, the IPT determined that since information assurance is a corecompetency and capability essential for achieving information superiority, a process offormal certification using common Department standards was a critical requirement,especially for these five functions. This process begins with formal classroom or computer-based training followed by a period of observed performance demonstrating competence inspecific knowledge, skills, and abilities. It requires an official designation of this competencythrough documented certification and approval by the local commander. Because of theshort shelf life of IA technology, certification has a limited validity period; therefore, re-certification is required to keep knowledge and skills current.

The IPT did not address certification and/or training requirements for either theComputer/Network Crime or the Web Security functions since these were already underdevelopment. In the case of Computer/Network Crime, a 1998 memorandum1 fromDEPSECDEF tasked the Air Force to act as executive agent for the Department to developtraining requirements. In the case of Web Security, another DEPSECDEF memorandum2

in the same year chartered a separate IPT to develop certification and training requirements.

Appendices H, I, and J contain the IPT certification requirements for the remaining three“critical” functions: System/Network Administration and Operations, Threat andVulnerability Assessment, and CERT, respectively. These certification documents are basedon NIST Special Publication 800-16, Information Technology Security Training Requirements: ARole- and Performance-Based Model, and the NSTISSC National Training Standard Instructions.Although the DoD has invested much effort in the development of these NISTrequirements and NSTISSC standards, they currently are applicable only to the federalnational security community since the DoD has not formally adopted them. Further, the

1 Department of Defense, Deputy Secretary of Defense, Department of Defense Reform Initiative

Directive #27 — DoD Computer Forensics Laboratory and Training Program, February 10, 1998.2 Department of Defense, Deputy Secretary of Defense, Information Vulnerability and the World Wide Web,

September 24, 1998.


21

IPT’s certification documents include additional specific DoD operational performanceneeds.

The certification requirements outlined in Appendices H through J have certain prerequisitesstipulated. Specifically, background investigations and specific IA training requirementsand/or other certification requirements are listed. It is important that Services and Agenciesrecognize that the intent of the IPT was that these prerequisites must be met before theindividual is granted privileged access.

3.4.2 Contractor Certification Requirements

Contractors are performing many “critical” IA functions. Their effort is expected toincrease for a variety of reasons. However, because of the concerns about protecting theDepartment’s networks and ensuring properly trained and certified personnel, contractorpersonnel must be held to the same or equivalent standards as government personnel.Contractual provisions are available for defining standards that must be met by contractorpersonnel. Certification requirements can be included as an attachment to the Statement ofWork (SOW), and contractors can be instructed to identify those personnel proposed for“privileged access” via a Key Personnel clause. This method requires governmentalapproval for individual(s) proposed, and maintains the contractual right to approval for anysubsequent replacement personnel. Certification of contractor personnel at the requiredlevels of expertise would then take place at the time of the contract award.

3.4.3 Long-Term IA Training Initiative

The long-term viability and capability of our IA workforce is a strategic IA element inachieving information superiority.

DoD Components have a number of IA-related training courses underway and indevelopment, but each of these has limitations that impact the Department’s readiness torespond decisively and effectively to information system attacks. A more efficient andeffective way is needed to train, assess, and certify DoD personnel in “critical” IAknowledge and skills.

The Defense Acquisition University (DAU) has demonstrated how high-quality Web-basedtraining can be provided to DoD personnel anytime and anywhere. DAU has invested insoftware to manage students (while taking courses online) that can be quickly adapted for IAtraining and implemented by other training providers.

Adopting a Web-based training approach and an associated management information systemwould enable the Department to quickly develop, distribute, and manage IA training acrossthe DoD. This training approach is particularly well suited to support the unique demandson the Department’s Reserve Components. It would reduce the time and cost associatedwith travelling to and maintaining a classroom and/or platform training. It would establishcommon learning objectives and performance standards relating to specific occupations andskill levels. It would provide a means to quickly update and distribute IA-relatedinformation to specific personnel at their job sites whenever needed. And it would reducethe cost of redundant course development effort underway in each Component.

22

The President’s Executive Order 13111 of January 1999 tasked the federal agencies withincreasing the use of learning technology to enhance the cost-effectiveness of federaleducation and training. In keeping with the intent of this Executive Order, DoD shouldlaunch a Web-based IA training program in collaboration with the other federal agencies.This effort would reduce the cost of DoD’s investment while simultaneously enhancing thereadiness of all federal network and information systems.

4. Roadmap to Improvements

23


4.1 Implementing the IPT Recommendations

Previous chapters presented the IPT’s recommendations. These recommendations, when fullyimplemented, will significantly improve the Department’s capability to meet the JV 2010 goal ofinformation superiority. What the Department will accomplish is depicted in Table 3.

Table 3. Anticipated Results and Implementation Status

If the DoDImplements… The Results Would Be… Projected or Current Status

Recomm. 1 The Department’s IT and IA workforces,both authorized billets and positions andpersonnel, will be able to besystematically and continually identifiedand quantified. This capability will beinstitutionalized.

Implementation in the mode of“business-as-usual” will require aboutthree years once funding is provided. Ifsufficient priority is given to thisrecommendation, completion could berealized in about 18 to 24 months.

Recomms.2, 3, and 4

The Department will have more accurateinformation about its government andcontractor mix in the IT/IA workforce. Amechanism will be in place to maintain acore capability in these critical functionsand to assess the risk of additionaloutsourcing.

Work is being currently initiated inthese areas. By next year, informationwill be available to begin examination ofoutsourcing issues and risks.

Recomm. 5 The Department will have a forum forServices’ military IT career managers toidentify and assess improved methods formanaging their people.

Implementation could be completedwithin three months or less andcontinue as long as the shortage of ITpersonnel is a serious problem.

Recomm. 6 Local commanders and directors willhave better information on already-approved civilian personnel managementcapabilities to improve their ability torecruit and retain civilian ITprofessionals.

Implementation can be completedwithin three months. The use ofrecruiting bonuses and retentionallowances can be tracked on a regularbasis.

Recomms.7, 8, 9, and 10

IT training for the Department’s seniorexecutives (military and civilians) andCIO staffs will meet the requirements ofthe Clinger-Cohen Act.

CIO staff training can beginimmediately. However, funding isnecessary to accommodate additionalthroughput of students and thedevelopment of course and curricula toaddress new IT training requirements.

Recomms.11, 12, and 13

The Department will have a common IAlanguage, a common reference point forjoint training requirements, and a

Adoption of the NSTISSI Glossary andtraining standards can be implementedwithin three months. Development of a

24

If the DoDImplements… The Results Would Be… Projected or Current Status

baseline IA training standard. DoD Glossary supplement and UJTLand JMETL modifications can beimplemented within six months.

Recomms.14, 15, and 17

The Department will have increasedassurance about the reliability of the IAworkforce and its ability to protect theintegrity and availability of theDepartment’s interoperable andnetworked information systems. Aninstitutionalized certification process willreplace today’s non-existent standards,including maintaining the currency of thestandards.

Although full implementation willrequire three to five years once fundingis provided, substantial progress can beachieved annually if appropriatepriority is given to the effort.

Recomms.16 and 18

The Department will have the capabilityto maintain current IA training modulesand deliver this training to the workforcein a timely and cost-effective manner aswell as track the currency of theworkforce’s certification.

Although it will take five years to fullyimplement these recommendations, bycapitalizing on similar work alreadycompleted, the requirements can beprioritized, with specific capabilitiescompleted progressively beginning withthe first year after funding is provided.

Recomm. 19 The Department’s IT/IA contractors willmeet the same minimum training andcertification requirements as our militarypersonnel and civilian employees.

The policy can be promulgated withinsix months. All new contracts wouldmeet the requirements from the timethe policy was promulgated. Estimatesare up to two years before all existingcontracts requiring changes areamended.

4.2 Priorities

The nineteen recommendations are grouped into four priorities: 1, 2, 3, and 4.

•••• Priority 1 recommendations are those which have a direct impact on substantially improvingthe Department’s ability to protect the integrity and availability of its information systemsand networks and its ability to operate effectively in a joint warfighting environment.Recommendations 14, 15, and 19.

•••• Priority 2 recommendations are those which enable the Department to substantiallyimprove its ability to manage its IT workforce or which provide long-term efficiencies forPriority 1 recommendations. Recommendations 1, 2, 3, 6, 10, and 18.

•••• Priority 3 recommendations are those which enable the Department to improve the qualityof its IT workforce and maintain improvements realized as a result of implementing Priority1 recommendations. Recommendations 5, 7, 8, 9, 16, and 17.

•••• Priority 4 recommendations are those which will provide official policy guidance to supportthe recommendations above. Recommendations 4, 11, 12, and 13


25

4.3 Costs

These recommendations are not without cost. The IPT’s recommendations are listed in Table 4 onpage 26, along with the costs to implement. Approving the recommendations will not result inimplementation, simply another unfunded requirement. Appropriate dollars must be provided. Tofully fund these recommendations will require $77.5 million over the next five years. Once therecommendations are approved and the dollars provided in the budget, the timelines shown in thenext section can commence. See Appendix K for Service and Agency cost breakouts.

4.4 Timeline for Implementation

The timeline shown in Appendix L begins with Month 0. Month 0 is defined to be that month inwhich implementation is directed and, when required, dollars are provided.

4.5 Future Issues to be Addressed by OSD

There are a number of issues left unresolved due to a lack of personnel data. OnceRecommendation 1 is fully implemented, the workforce needs to be analyzed and managementalternatives examined with respect to:

•••• The impact of the non-IT professional assigned IT functions;

•••• The size and distribution of the civilian IT professional workforce and the desirability of acareer management program for that workforce; and

•••• Recruiting and retention statistics for the civilian IT workforce and identification of requiredmanagement actions.

There are two additional issues that should be considered for additional work:

•••• Certification requirements should be developed for the non-critical IA functions.

•••• Staffing guidelines for manpower-intensive IA functions should be developed usingindependent variable(s) that can be easily determined during the program/budget process.

26

Table 4. IPT Recommendations and Their Costs

Recommendation Page Cost

Recommendation 1: Direct the OUSD (P&R) to establish the requirement that theCINCs, Services, and Agencies identify manpower and personnel assigned IT/IAfunctions, enter the required information into the appropriate databases, andmaintain these databases as changes occur.

9 $12.5M

Recommendation 2: Direct the OASD (C3I) to work with the OUSD (A&T) and theOUSD (P&R), as part of the Inherently Governmental Working Group (IGWG), torevise IT function codes and develop definitions that more accurately reflect today’s IT

and IA activities.

9 No cost

Recommendation 3: Direct the OASD (C3I) to draft guidance for review by theInherently Governmental Working Group to be used by the DoD Components todetermine core IT and IA requirements to minimize the risk of losing mission

capability.

9 No cost

Recommendation 4: Direct the OUSD (A&T) to consider the merits of developing andmaintaining a database that shows contractor staff-years against major functions,

especially IT and IA.9 No cost

Recommendation 5: Direct the ODASD (MPP) to establish a steering group comprisedof OSD, Joint Staff, and each of the Services (including the Coast Guard) to focus on

military IT personnel issues.10 No cost

Recommendation 6: Direct the ODASD (CPP) to work with the ASD (C3I) to widelypublicize OPM flexibilities available to address civilian IT recruiting and retention

problems.13 No cost

Recommendation 7: Direct the OASD (C3I) to require the staffs of the DoD CIOs atthe GS-13 through the GS-15 levels to complete the DoD CIO Certificate Program or

the Advanced Management Program at the IRMC.13 See Recomm. 9

Recommendation 8: Direct the OUSD (P&R) and the OASD (C3I) to issue policydirecting the Services/Agencies to implement a mandatory requirement that DoDCIOs, Deputy CIOs, and SESs and flag officers on the CIO staffs attend DoD-

sponsored ITM executive sessions.

13 See Recomm. 9

Recommendation 9: Direct the OUSD (Comptroller) to provide resources (personneland funding) to the IRMC to accommodate additional training requirements of the

DoD ITM workforce.11 $5.8M

Recommendation 10: Direct the OASD (C3I) to work with the Joint Staff and theODASD (CPP) to develop an IT contemporary issues training module for the CAP-

STONE and APEX training sessions.13 No cost

Recommendation 11: Direct the OASD (C3I) to officially adopt NSTISSI Number4009, National Information Systems Security (INFOSEC) Glossary, as the official IAGlossary. This requires the Defense-wide Information Assurance Program (DIAP) toformally coordinate an annex defining terminology not yet officially adopted by

NSTISSI but used by the Department.

16 No cost

Recommendation 12: Direct the Joint Staff to review the defensive informationoperations requirements in the context of JV 2010 and translate these requirementsinto the Universal Joint Task List (UJTL) and the Joint Mission Essential Task List

(JMETL). 20 No cost


27

Recommendation Page Cost

Recommendation 13: Direct the OASD (C3I) to officially adopt the NIST SpecialPublication 800-16, Information Technology Security Training Requirements: A Role-and Performance-Based Model and the NSTISSIs as the minimum DoD IA training

standards.

16 No cost

Recommendation 14: Direct the OUSD (P&R) and the OASD (C3I) to establish therequirement that the CINCs, Services, and Agencies establish mandatory trainingand/or certification programs for the five “critical” IA functions, using the NSTISSCtraining standards and the IPT-developed certification requirements as the minimumrequirement. In support of this, DISA shall develop baseline IA training courses tomeet the IA training requirements stipulated in the IPT certification documents.These courses can then be used by the Services and Agencies to meet the certificationIA training requirement or enhanced by the Service and Agency to meet its uniqueneeds.

16 $10.5M

Recommendation 15: Direct the OASD (C3I) to establish the requirement that noperson assigned to a “critical” IA function at the entry level may be granted privilegedaccess until the required IA training is successfully completed.

17 No cost

Recommendation 16: Direct the OUSD (P&R) and the OASD (C3I) to establish therequirement that the CINCs, Services, and Agencies document these certificationprograms in full and develop the capability to readily produce detailed answers aboutthe status of certifications.

17Unknown —should be

included in Recomm. 18.

Recommendation 17: Direct the OUSD (P&R) and the OASD (C3I), in concert withthe CINCs, Services, and Agencies, to coordinate biennial reviews of each certificationand/or training program to ensure the currency and utility of the requirements.

17 No cost

Recommendation 18: Direct the OUSD (P&R) and the OASD (C3I) to develop andestablish an Advanced Distributed Learning program, including a certificationmanagement system, for IA training and education at DISA or other appropriatelocation. The IA Advanced Distributed Learning effort will support implementation ofan IA element within the Federal Center for Information Technology Excellenceproposed under PDD 63.

17 $49M

Recommendation 19: Direct the OASD (C3I) to incorporate into the DODD 8500.xx,Information Assurance, the requirement for contractors assigned “critical” IAfunctions to meet the same or equivalent certification and training requirements asDepartment personnel. This recommendation requires that the OUSD (A&T) provideguidance to Contracting Officers to ensure these requirements are included in affectedcontracts.

17Unknown cost — unableto determine at this time

28

App. A. Private Sector

A-1

Appendix A.Private Sector Recruiting and Retention Techniques

What are Private Sector IT Recruiting Techniques?

Compensation Offer competitive salaries…geographic diversification to lower labor costs

Hiring bonuses for top candidates

Use contingent workers extensively…lowers cost of pay and benefits

Employee Stock Option Plans (ESOP) used extensively at smaller firms

Recruits also interested in portable 401(k) plans

TargetedAudience

Pursue graduates from two distinct educational sources:

Vocational-Technical schools (like DeVry) for systems administrators

Colleges & Universities for engineers, software developers, knowledge workers

Variations of Best of the Best program:

Recruit at target colleges, 1 year rotational assignments in field & corp. HQ

Trainee then chooses preferred assignment and location

Smaller firms cannot afford college recruiting, often use corporate headhunters

RecruitingTools

List website in newspaper, movie theater ads

E-mail existing resume or create individualized resume

Use cookie technology to trace inquiries

Cold calling to potential candidates in competing firms

Infiltrate social events, like exchanging business cards at microbrewery festivals,art fairs, home & garden shows

Assign candidates an in-house, demographically similar pal

Pals receive referral fee if recruits are hired

Source: Defense Manpower Data Center

A-2

What are Private Sector IT Retention Techniques?

JobSatisfaction

Provide challenging and rewarding work, clearly defined career progressionpaths

Lowest turnover among engineers and software developers

Conduct periodic surveys of attraction & retention trends: Why did youstay/leave?

Compensation Bonuses can range from 7% (technical support) to 50%+ (key managers)

Stock options for star performers…supervisors often given attrition rate ceilingson these major revenue producers

Up to $10K for referring new hires

Promise of unlimited potential for financial reward based on firm’s profitability

Quality ofLife Amenities

More flexible workforce...80 hours of work over 9 workdays, job-sharing,contingent workers, telecommuting

Key workers get laptops and Intermediate Service Digital Network lines tohomes

Extensive equipment and software for telecommuters

Typical Silicon Valley QOL package includes workout facilities, dry cleaningservices, movie rentals, gourmet cafeterias

Training Often conducted after normal working hours

In-house technical training and fully funded advanced degrees

Training needs usually subordinate to quarterly revenue targets

Source: Defense Manpower Data Center

App. B. Recruiting and Retaining

Office of Personnel ManagementB-1

Appendix B.Recruiting and Retaining

Information Technology Professionals

B-2

RECRUITING AND RETAINING

INFORMATION TECHNOLOGY PROFESSIONALS

Prepared by the U.S. Office of Personnel Management

November 1998



RECRUITING AND RETAINING INFORMATION TECHNOLOGY PROFESSIONALS

As we move toward the 21st century, it has become increasingly important for the FederalGovernment to recruit and retain information technology (IT) professionals3

with the skillsand competencies needed to meet new technology challenges and remain competitive withthe private sector. As agencies develop strategies for recruiting and retaining ITprofessionals, they will find that a number of existing human resource managementflexibilities and resources are available to help address the recruiting and retention problemsfacing IT managers.

The Office of Personnel Management (OPM) has compiled a list of human resourcemanagement approaches and tools that agencies may use in designing IT recruitment andretention strategies and in resolving current staffing problems. This document describessome of the staffing, compensation, award, and training flexibilities that are available to helpagencies attract and retain IT professionals, including members of the Senior ExecutiveService (SES), and describes some of OPM’s human resource management initiativescurrently under development. In addition, the Appendix provides information on otherFederal benefits that may help address employee recruitment and retention issues, such aswork life flexibilities and leave, retirement, and insurance benefits. Finally, the Appendixprovides a list of OPM contacts for additional information on these flexibilities.

The following pay and benefit options and recruitment tools are important for Federalmanagers to use as they compete with other employers. Managers of information technologyneed to know how to use these tools and how they can best be combined to solve particularstaffing problems. But the listed tools alone cannot solve the problems of IT workershortages. The reasons employees choose other employers are many. For example, a studyby the placement firm, Blessing-White, suggests that conflict between employees andsupervisors is a strong factor in leading IT employees to leave their jobs.

Perhaps the most important factor in attracting and retaining information technologyprofessionals is conscientious and direct involvement by IT managers. Managers need toidentify where targeted recruiting efforts are likely to be fruitful. Managers need to bespecific in describing the work that is to be done and the competencies that need to be used.

3 Federal information technology positions are typically classified under the General

Schedule (GS) in the following series: GS-334, Computer Specialist; GS-391,Telecommunications Specialist; GS-854, Computer Engineering; and GS-1550, ComputerScience. The grades of Federal IT positions typically range from GS-5 to GS-15 in suchareas as policy, expert, supervision, and management. There are also IT positions in theSenior Executive Service. Occupational series and grade levels vary according to actual dutiesand responsibilities assigned to specific positions.

B-4

Managers need to be creative in “selling” prospective employees on the nature andimportance of their agencies’ projects. And managers need to be accomplished in coachingand leading IT employees.

Probably the best way for Federal agencies to resolve their IT recruitment and retentionproblems is to band together in seeking solutions, relying on the combined insights ofmanagers and personnel lists. An effective way to do this is through an interagency taskforce, and one has been formed to address this specific issue. Representatives of the HumanResources Technology Council have joined forces with the Education and TrainingCommittee of the Chief Information Officer’s Council to look at specific problems andsolutions in IT employee recruitment, retention, development and workforce planning. Thetask force brings together knowledgeable leaders from OPM, the Office of Management andBudget (OMB), the Interagency Advisory Group of Personnel Directors, the HumanResources Development Council, and the financial and IT communities.

TOOLS AND STRATEGIES

A. Strategies for Recruiting New Employees

For information on additional flexibilities that are available to help recruit new employees, see the Appendix.

1. Agency-Based Flexibilities

The Federal Job Search Process− This 3-step process begins with Federal agencies listing job opportunities in the

USAJOBS Government-wide automated employment information system. Jobseekers may access the system in any of the following ways:

− on the world wide web at http://www.usajobs.opm.gov;

− by electronic bulletin board at 912-757-3100;

− by telephone at 912-757-3100 (912-744-2299 TDD) or local telephone serviceavailable at 17 OPM Service Centers around the country; or

− touch screen computer kiosks located throughout the nation at OPM offices,Federal buildings, and some colleges and universities.

The USAJOBS systems provide access to over 6000 daily updated job listings, full jobannouncements, and fact sheets on commonly requested Federal employment topics.

The second step is to review the job announcement to determine eligibility andinterest.



The final step in this process is to follow the application instructions. Application formost jobs can be with a resume, the Optional Application for Federal Employment(OF-612), or any other written format. For unique jobs or those filled throughautomated procedures, special forms and/or instructions may be identified in the jobannouncement.

Alternative Short-Term Recruitment and Staffing Options− Use of temporary appointments in the competitive service for positions not expected

to last longer than 1 year, but which may be extended for 1 additional year.Recruitment for these positions is accomplished through the competitive process. [5CFR part 316]

− Use of term appointments in the competitive service when positions are expected tolast longer than 1 year, but not more than 4 years. Reasons for making termappointments include project work and extraordinary workloads. Recruitment isaccomplished through the competitive process. [5 CFR part 316]

− Making appointments with varying work schedules such as part-time (which mayinclude job-sharing arrangements), intermittent, and seasonal. Intermittent workschedules are used only when the nature of the work is sporadic and unpredictable.Seasonal work involves annually recurring periods of work which is expected to lastat least 6 months during a calendar year. The use of varying work schedules mayserve as an incentive to attract applicants who prefer to work less than full-time. [5CFR part 340]

− The excepted service appointment of expert and consultants under 5 U.S.C. 3109 toperform expert or consultant work that is temporary (not to exceed 1 year) orintermittent. (This differs from employing experts and consultants throughprocurement contracts, which are covered by regulations issued by the GeneralServices Administration.) Under 5 CFR part 304, an expert is someone who isspecifically qualified by education and experience to perform difficult andchallenging tasks in a particular field beyond the usual range of achievement. Aconsultant is someone who can provide valuable and pertinent advice generallydrawn from a high degree of broad administrative, professional, or technicalknowledge or experience. - The appointment of veterans in the excepted serviceunder the Veterans’ Readjustment Appointment. This is a special authority underwhich agencies can appoint an eligible veteran up through the GS-11 or equivalentgrade level without competition. The candidate must meet specific servicerequirements along with the applicable qualification requirements. [5 CFR part 307]

− The appointment of graduate and undergraduate students in the excepted serviceunder the Student Educational Employment Program. There are two components ofthis program: the Student Temporary Employment Program (STEP) and StudentCareer Experience Program (SCEP). These are special authorities under whichagencies can appoint students who are enrolled or have been accepted for enrollmentfor at least a part-time schedule at an accredited institution. Appointment in theSTEP program is not-to-exceed 1 year, and may not be converted to permanent.Individuals in the SCEP program may be noncompetitively converted to

B-6

career/career-conditional appointments within 120 days of academic requirementscompletion. Agencies may pay for college courses that improve the performance ofstudents hired under SCEP. In return, the agency may require the student to sign acontinued service agreement with the agency.

− A detail within a department of its employees for brief periods. 5 U.S.C. 3341 allowsfor intra-agency details in increments of 120 days when approved by the head of thedepartment.

− Commercial temporary help services may be used for brief periods (120 days, with anextension of an additional 120 days) for short-term situations. This option may beused only when regular recruitment and hiring procedures are determined to beimpractical, and is accomplished through the Federal procurement system. [5 CFRpart 300, subpart E]

− Agencies may also choose to enter into various types of contracts where appropriate.These contacts are also handled through the Federal procurement system.

Travel and Transportation Expenses for Interviews and/or New Appointments

An agency, at its discretion, may pay the travel or transportation expenses of anyindividual candidate for a pre-employment interview, or pay travel and transportationexpenses for a new appointee to the first post of duty. For either payment, a decisionmade for one vacancy does not require a like decision for any similar future vacancies.Before authorizing any payments, the agency must consider factors such as availabilityof funds, desirability of conducting interviews, and feasibility of offering a recruitingincentive. [5 U.S.C. 5706b; 5 CFR part 572]

Superior Qualifications Appointments

Federal agencies have the authority to set pay for new appointments orreappointments of individuals to General Schedule positions above step 1 of thegrade based on superior qualifications of the candidate or a special need of theagency. Agencies must have documentation and recordkeeping procedures on makingsuperior qualifications appointments in place in order to make such appointments. [5U.S.C. 5333; 5 CFR 531.203(b)]

Advancement Opportunities

Employees hired into positions that have been announced as having “promotionpotential” to a certain grade level may receive noncompetitive promotions up to thatpre-determined level.

Advance Payments for New Appointees

Agencies may advance a new hire up to two paychecks so that a new employee canmeet living and other expenses. [5 U.S.C. 5524a; 5 CFR part 550, subpart B]



Use of “Highest Previous Rate”

Upon reemployment, transfer, reassignment, promotion, demotion, or change in typeof appointment, agencies have discretionary authority to set the rate of basic pay of anemployee by taking into account a rate of basic pay previously received by anindividual while employed in another civilian Federal position (with certainexceptions), not to exceed the maximum rate of the employee’s grade. [5 U.S.C.5334(a); 5 CFR 531.202 (definition of “highest previous rate”) and 531.203(c) & (d)]

Recruitment and Relocation Bonuses

Agencies have discretionary authority to make a lump-sum payment of up to 25percent of basic pay to a newly appointed employee (in the case of a recruitmentbonus) or to an employee who must relocate (in the case of a relocation bonus) to filla position that would otherwise be difficult to fill. In return, the employee must sign aservice agreement with the agency. A recruitment bonus may be used in combinationwith superior qualifications appointments. Recruitment and relocation bonuses mustbe paid in accordance with the agency’s previously established recruitment andrelocation bonus plans. Recruitment and relocation bonuses are subject to theaggregate limitation on total pay (currently $151,800). [5 U.S.C. 5753; 5 CFR part 575,subparts A and B]

2. Flexibilities Available with OPM and/or OMB Approval

Special Salary Rates

OPM is authorized to establish higher special rates of pay for an occupation or groupof occupations nationwide or in a local area based on a finding that the Government’srecruitment or retention efforts are, or would likely become, significantly handicappedwithout those higher rates. The minimum rate of a special rate range may exceed themaximum rate of the corresponding grade by as much as 30 percent. However, nospecial rate may exceed the rate for Executive Level V (currently $110,700). A specialrate request must be submitted to OPM by department headquarters and must becoordinated with other Federal agencies with employees in the same occupationalgroup and geographic area. [5 U.S.C. 5305; 5 CFR part 530, subpart C]

Critical Position Pay Authority

Based on a recommendation from OPM, OMB is authorized to increase the rate ofbasic pay for a position up to the rate for Executive Level I (currently $151,800).Critical pay may be authorized for a position that requires expertise of an extremelyhigh level in a scientific, technical, professional, or administrative field or one that iscritical to the agency’s successful accomplishment of an important mission. Criticalpay may be granted only to the extent necessary to recruit or retain an individualexceptionally well qualified for the position. [5 U.S.C. 5377; OMB Bul. No. 91-09]

B-8

B. Strategies for Retaining Current Employees

For information on additional flexibilities that are available to help retain currentemployees, see the Appendix.


Retention Allowances

Agencies have discretionary authority to make continuing (i.e., biweekly) payments ofup to 25 percent of basic pay to individual employees and of up 10 percent of basicpay to a group or category of employees based upon a determination by the agencythat (1) the unusually high or unique qualifications of the employees or a special needof the agency for the employees’ services makes it essential to retain the employees,and (2) the employee or a significant number of employees in the targeted categorywould be likely to leave the Federal Government (for any reason, includingretirement) in the absence of a retention allowance. Retention allowances must bepaid in accordance with the agency’s previously established retention allowance planand must be reviewed and certified annually. Retention allowances are subject to theaggregate limitation on total pay (currently $151,800). [5 U.S.C. 5754; 5 CFR part 575,subpart C]

Premium Pay, Exceptions to the Biweekly Limitation

The head of an agency or his or her designee may make an exception to the GS-15,step 10, biweekly limitation on premium pay when he or she determines that anemergency involving a direct threat to life or property exists. If the head of an agencydetermines that such an emergency exists, the premium pay paid to an employeeperforming work in connection with that emergency, when added to the employee'srate of basic pay (including any locality payment or special salary rate), must not causehis or her total pay to exceed the rate for GS-15, step 10 (including any localitypayment or special salary rate), on an annual basis. [5 U.S.C. 5547(b); 5 CFR 550.106]

OPM encourages agencies to exercise this authority in the case of any employee whoperforms emergency work to resolve a direct threat to property (including monetaryerrors or costs) in connection with updating computer systems to preventmalfunction, erroneous computations, or other problems related to the Year 2000conversion. By exercising this authority in appropriate situations, agencies will be ableto ensure that employees who perform significant amounts of overtime work (orwork at night, on Sunday, or on a holiday) will be appropriately compensated for thatwork, as long as the premium pay they receive does not cause their total pay to exceedthe rate for GS-15, step 10, on an annual basis.


As previously described in A(1), agencies have the discretion to set pay above theminimum rate of the grade upon transfer, reassignment, promotion, demotion, or



change in type of appointment using the “highest previous rate” authority. [5 U.S.C.5334(a); 5 CFR 531.202 (definition of “highest previous rate”) and 531.203(c) & (d)]

Granting a “Quality Step Increase”

Agencies have discretionary authority to accelerate an employee’s pay by granting aquality step increase. A quality step increase is an additional step increase that may begranted to an employee who has received the highest rating of record available underthe applicable performance appraisal program, which would be “Outstanding” orLevel 5 if such a level is available. Employees in agencies which do not have an“Outstanding” level must also meet additional criteria specified by the employingagency. These are basic pay increases for all purposes. No more than one quality stepincrease can be granted within a 52-week period, and such an increase cannot causethe employee’s pay to exceed the maximum rate of the grade. [5 U.S.C. 5336; 5 CFRpart 531, subpart E]

Performance and Incentive Awards

Agencies have discretionary authority to grant an employee a lump-sum cash awardbased on a “Fully Successful” or better rating of record or in recognition ofaccomplishments that contribute to the efficiency, economy, or other improvementof Government operations. Awards can be tied to specific achievements such asmeeting milestones identified as part of the work needed to achieve Year 2000conversion goals. Cash awards do not increase an employee’s basic pay. Awards basedon the rating of record can be up to 10 percent of salary, or up to 20 percent forexceptional performance, provided the award does not exceed $10,000 per employee.[5 U.S.C. 4302, 4503, 4505a; 5 CFR 451.104]

2. Flexibilities Available with OPM and/or OMB Approval

Retention Allowances

Upon the request of the head of an agency, OPM may approve a retention allowancein excess of 10 percent, not to exceed 25 percent, of an employee’s rate of basic payfor a group or category of employees based upon a determination by the agency that(1) the unusually high or unique qualifications of the employees or a special need ofthe agency for the employees’ services makes it essential to retain the employees, and(2) a significant number of employees in the targeted category would be likely to leavethe Federal Government (for any reason, including retirement) in the absence of aretention allowance. Retention allowances must be paid in accordance with theagency’s previously established retention allowance plan and must be reviewed andcertified annually. Retention allowances are subject to the aggregate limitation on totalpay (currently $151,800). [5 U.S.C. 5754; 5 CFR part 575, subpart C]

B-10

Special Salary Rates

As previously described in (A)(2), the special salary rate authority helps agencies retainemployees in occupations or geographic areas experiencing a staffing problem. [5U.S.C. 5305; 5 CFR part 530, subpart C]

Awards Over $10,000

When agencies exercise the discretionary awards authority described in (B)(1), anyaward that would grant over $10,000, up to $25,000, to an individual employee mustfirst be submitted to OPM for review and approval. Any award that would grant over$25,000 to an individual employee must be reviewed by OPM for submission to thePresident for approval.

C. Strategies for Rehiring Former Employees



As previously described (A)(1), agencies have the discretion to set pay above theminimum rate of the grade upon reemployment using the “highest previous rate”authority. [5 U.S.C. 5334(a); 5 CFR 531.202 (definition of “highest previous rate”) and531.203(c) & (d)]

2. Flexibilities Available with OPM Approval

Waiver of Dual Compensation Restrictions for Reemployment of Military and CivilianRetirees

Laws restricting dual compensation prohibit retired regular military officers of alluniformed services and all Federal civilian retirees from getting the full combinedvalue of their salary and annuity upon reemployment in the Federal service. Inaddition, for all military retirees the law sets a “pay cap” that limits the combinedbasic pay plus military retired pay to level V of the Executive Schedule (currently$110.700).

The Director of OPM may waive the reduction in a retiree's salary or annuity, whenan agency encounters exceptional difficulty in recruiting or retaining a qualifiedcandidate for a particular position. Agency heads may ask OPM to waive reductionson a case-by-case basis as described in 5 CFR part 553. In addition, agency heads mayask OPM to delegate waiver authority for temporary positions to deal with “anemergency involving a direct threat of life or property or other unusualcircumstances.” Under delegated authority the agency head can provide waivers on acase-by-case basis.

Generally, OPM responds to requests that meet the criteria in 5 CFR 553 within 2weeks of receipt. The Director of OPM has announced the availability of delegations



and case-by- case waivers for temporary positions working solely on Year 2000conversion within 24 hours of receipt of an appropriate agency request. [5 U.S.C.5532(g), 8344(i), and 8468(f); 5 CFR 553]

D. Strategies for Recruiting and Retaining Senior Executives

Many of the strategies used for recruiting and retaining non-executive employees areavailable for senior executives as well, such as recruitment and relocation bonuses,retention allowances, travel for interviews and/or new appointments, critical pay,incentive awards, work life programs, and benefits. Therefore, this section willhighlight those additional flexibilities that pertain specifically to senior executives.Agencies have considerable flexibility for managing their executive resourcesprograms. They may exercise these authorities in accordance with law, OPMregulations, and agency delegations.

1. Agency-Based Flexibilities for the Senior Executive Service (SES)

• Decide how executive positions will be filled (i.e., competitively or noncompetitively)and what recruitment methods will be used. Reassign career appointees to any SESposition in the same agency for which qualified with advance written notice. [5U.S.C. 3132, 3134, 3393, and 3395(a); 5 CFR 317.901]

• Make SES limited emergency appointments (up to 18 months) and limited termappointments (up to 3 years) of career or career-type civil service employees to meetunanticipated temporary staffing needs, without competition, using an authorityfrom the agency's limited appointment pool provided by OPM regulation. [5 U.S.C.3132 and 3394; 5 CFR 317.601]

• Make career appointments to the SES using merit staffing procedures, after theexecutive qualifications of the selectee have been approved by an independentQualifications Review Board. [5 U.S.C. 3393; 5 CFR Part 317, subpart D]

• Set a senior executive's pay at any of the six SES basic pay rates, and adjust that rateonce in any 12-month period. [5 U.S.C. 5383(a), (c), and (d); 5 CFR 534.401]

• Pay annual lump-sum performance awards (bonuses) to SES career members, afterconsidering the agency Performance Review Board recommendations. Awards maybe between 5 percent and 20 percent of basic pay. [5 U.S.C. 5384; 5 CFR 534.403]

• Pay travel and transportation expenses for career appointees for “last move home.”If reassigned or transferred geographically (when eligible for optional ordiscontinued service retirement or within 5 years of eligibility for optionalretirement), career appointees are entitled to moving expenses at retirement.(Implementation regulations are issued by GSA as part of the Federal TravelRegulations.) [5 U.S.C. 5724]

B-12

• Individual executives may accumulate up to 90 days (720 hours) of annual leave,which can be carried over from one leave year to the next. [5 U.S.C. 6304; 5 CFRpart 630]

2. Flexibilities Available with OPM, OMB, and/or White House Approval

• Make SES limited emergency appointments (up to 18 months) and limited termappointments (up to 3 years) of private sector and other than career or career-typecivil service employees to meet unanticipated temporary staffing needs withoutcompetition. [5 U.S.C. 3132, 3394; 5 CFR 317.601]

• With White House approval, bestow Presidential Distinguished and MeritoriousRank Awards on SES career appointees for extraordinary executive accomplishmentover an extended period. Distinguished Executives receive $20,000; MeritoriousExecutives receive $10,000. [5 U.S.C. 4507; 5 CFR 451.201(c)]

E. Strategies for Using Training and Education to Recruit and Retain Employees

• Paying for Training and Education

− Agencies can pay for training and education to improve an employee’sperformance of his or her official duties. With this authority, agencies may pay,or reimburse an employee, for all or part of the necessary expenses of training,including the costs of college courses. [5 U.S.C. 4109(a)(2)]

− To recruit or retain employees in occupations in which an agency has oranticipates a shortage of qualified personnel, especially in occupations involvingcritical skills, an agency may pay for education leading to an academic degree.Merit system principles apply to selecting employees for academic degreetraining. [5 U.S.C. 4107(b); 5 CFR 410.308]

− Agencies may require service agreements for training of long duration or of highcost. With this authority, agencies protect their investment and secure a period ofservice from an employee once the employee completes needed training. [5U.S.C. 4108; 5 CFR 410.309]

• Sharing the Costs of Training and Education

Agencies may share training costs with employees. This authority allows agencies tosupport training and education that benefits both the agency and the employee. Ifboth agree, an agency may pay some of the costs of training, while the employee paysthe balance. An employee may pay the entire cost of training and attend trainingduring duty hours with agency approval. An agency may also reimburse an employeefor all or part of the costs of successfully completed training. [5 U.S.C. 4109(a)(2); 5CFR 410.401]



F. Other Human Resource Management Initiatives

OPM is currently developing human resource management (HRM) initiatives to equipagencies with the flexible systems they need to manage their human resourceseffectively. The 1998 HRM initiatives are only the beginning of OPM’s efforts toimprove Federal human resource management; agencies can expect more changes inthe future. Some of the 1998 HRM initiatives that may assist agencies in recruitingand retaining IT professionals include--

• Modernizing the current position classification system by establishing aGovernmentwide broadbanding authority, with some criteria specified in statute, forcurrent General Schedule positions.

• Providing pay flexibilities and creating more opportunities for using pay to supportstrategic objectives by--

− Establishing the flexibility to use the General Schedule as is or, at agency’sdiscretion, create more flexible pay administration features (i.e., pay-setting andwithin-range pay adjustments), for some or all GS employees, within the basic15-grade GS salary structure.

− Enhancing the recruitment and relocation bonus and retention allowanceauthorities by providing additional payment options (e.g., lump-sum, quarterly, orbiweekly payments) and higher payment limits.

− Increasing incentive award flexibility by establishing an explicit authority forgroup incentive schemes and raising the limit on cash awards that may begranted without outside approval, but retain Presidential approval of awardsabove that limit.

• Applying staffing tools to adapt to changing organizational needs by--

− Maintaining and enhancing decentralized recruiting, examining, and humanresource development.

− Providing hiring and staffing flexibilities, including authorizing categorical ratingprocedures for selection, establishing a nonpermanent appointment authority,and modernizing the qualifications system by establishing a general qualificationsframework.

B-14

APPENDIX

Additional Recruitment and Retention Incentives

A. Work Life Issues

• Employee Assistance Programs. These programs provide a variety of confidentialservices, including counseling and referrals, to employees who are experiencingpersonal problems such as work and family pressures, substance abuse, and financialproblems which can adversely affect performance, reliability, and personal health.

• Family Friendly Policies. The Federal Government is a leader in providing family-oriented leave policies and flexitime/telecommuting arrangements.

− Hours of Work and Scheduling Flexibilities -- provide agencies the discretionaryauthority to determine the hours of work for their employees. Agencies have theauthority to establish:

− Full-time, part-time, intermittent, and seasonal work schedules;− Hours of work for employees, including traditional day shifts, night and

weekend duty, rotating shifts, “first-40" schedules, paid and unpaid breaks inthe workday (not to exceed one-hour), and overtime; and

− Alternative work schedules to replace traditional schedules (e.g., 8 hours perday/40 hours per week, with fixed starting and stopping times) with thefollowing:

− Compressed work schedules (CWS). Compressed work schedules arefixed work schedules that enable full-time employees to complete thebasic 80-hour biweekly work requirement in less than 10 workdays.

− Flexible work schedules (FWS). Flexible work schedules consist ofworkdays composed of core hours and flexible hours. Core hours are thedesignated period of the day when all employees must be at work.Flexible hours are the part of the workday when employees may (withinlimits or “bands”) choose their time of arrival and departure. An agency’sFWS plan may permit employees to earn credit hours.

− OPM’s Handbook on Alternative Work Schedules provides a frameworkfor Federal agencies to consult in establishing alternative work schedulesand information to assist agencies in administering such programs. Thishandbook can be found on OPM’s web site at www.opm.gov.

− Telecommuting -- allows employees to work at home or at another approvedlocation away from the regular office.



− Part-Time Employment and Job Sharing -- may help balance an employee’s workand family responsibilities.

− Dependent Care Assistance -- is available to help employees with child and eldercare needs. Many agencies offer referral assistance to community resources,provide lunch and learn seminars, and sponsor caregiver fairs. Also, OPM issuedthe Handbook of Child and Elder Care Resources, which provides employees,managers, and employee assistance counselors with information aboutorganizations and agencies across the country that can help employees locatequality child and elder care services. Many Federal agencies also provide on-sitechild development centers.

B. Benefits

• Leave. Sick leave and annual leave policies are generous. Federal employees earn 13days of sick leave each year. There is no ceiling on the amount of sick leave that maybe carried over from year to year. Federal employees also earn 13 days of annualleave during each of their first 3 years of Federal employment. This exceeds thenorm of 2 weeks (10 days) in the private sector. Employees earn additional annualleave as their tenure with the Federal Government increases, up to a maximum of 26days per year after 15 years of service. Most employees can accrue a total of up to 30days of annual leave for carryover into the next leave year. SES members can accrueup to 90 days of annual leave for carryover. Other leave programs include:

− Leave Sharing Programs -- allow employees to voluntarily transfer some of theirannual leave to specific coworkers or to a leave bank to assist coworkers indealing with a personal or family medical emergency.

− Family and Medical Leave Act -- ensures that up to 12 weeks per year of unpaidfamily and medical leave are available on a gender-neutral basis and mandates jobsecurity for employees who take such leave.

− Other Leave Flexibilities -- sick leave can be used to care for family members, toarrange for or attend funeral services of family members, and for absencesrelating to adopting a child. Federal employees can receive additional paid leaveto serve as bone-marrow or organ donors.

• Health Insurance. Federal employees can enroll in health insurance coverage forthemselves and their families at reasonable rates. They enjoy one of the widestselections of plans in the country. Over 350 plans participate in the health insuranceprogram. Employees can choose among managed fee-for-service plans, healthmaintenance organizations, and point-of-service plans. There is an annual openseason during which employees can change their enrollment. Unlike a growingnumber of private sector health benefits programs, Federal employees can continuetheir health insurance coverage into retirement with a full Government contribution.Most enrollees pay only one-fourth of the health benefits premium.

• Holidays. Most Federal employees are entitled to 10 paid holidays each year.

B-16

• Subsidized Transportation. Agencies can pay for employees’ commuting costs toencourage the use of public transportation.

• Pensions. The Federal Employees Retirement System (FERS) is an outstanding 3-tiered plan to provide secure retirement, disability, and survivor benefits foremployees and their dependents. In addition to Social Security benefits as a base,FERS offers both an annuity that grows with length of service and a tax deferredsavings plan. Employees pay less than 1 percent of salary to qualify for the annuityand are fully vested after 5 years of service and, for disability benefits, after just 18months.

The savings plan allows employees to save up to 10 percent of salary for retirement.The Government contributes 1 percent of salary to employees who do not contributeand will match up to another 4 percent of savings for employees who do contribute.Because the savings plan is tax deferred, no income tax is due on either theemployee’s contributions or the Government matching funds, or the earnings onthose amounts, until retirement. Employees can choose to invest in any of threefunds, or to spread investments across the three funds: a Government securities fund,a bond fund, and a stock fund, all professionally and securely managed by anindependent Government agency, the Federal Retirement Thrift Investment Board. Abroader selection of investment funds is planned for the near future. Since theinception of FERS in 1987, the performance of this state-of-the- art retirementsystem has been excellent.

• Life Insurance. Most full-time and part-time employees are automatically enrolled inbasic life insurance equal to their salary, rounded to the next $1,000, plus $2,000. TheGovernment pays one-third of the cost of this group term insurance. Employees donot have to prove insurability; no physical is required. Basic coverage includes doublebenefits for accidental death and benefits for loss of limb(s) or eyesight. Employeescan also purchase optional insurance at their own expense. Optional coverageincludes additional insurance on the employee’s life as well as coverage for theemployee’s spouse and eligible children, if any.

Those younger than 45 receive an additional amount of coverage at no greater cost.The enhancement declines from double the basic amount for those 35 and youngerto zero at age 45, when coverage becomes the basic amount.

Accelerated death benefits are available to terminally ill enrollees so that they canreceive life insurance proceeds while they are living.

Many large organizations are cutting life insurance benefits to retirees. Untrue in theFederal Government, which allows life insurance to be continued into retirement. Itcan also be converted to private coverage upon termination, without proof ofinsurability.

In addition to offering the life insurance program, agencies can pay up to $10,000 tothe personal representatives of employees who die from injuries sustained in the lineof duty.



• Liability Insurance. A recently enacted law provides Federal agencies with the optionof using available funds to reimburse law enforcement officers and managers for upto one-half of the cost of professional liability insurance, protecting them frompotential liability and attorneys fees for actions arising out of the conduct of officialduties.

C. Resources

• Please contact your local human resources office first for additional information onthese recruitment and retention flexibilities.

• Additional information may be obtained from OPM’s web site athttp://www.opm.gov.

• The following is a list of OPM program offices that can provide information onthese flexibilities:

Employment Service

− Staffing Reinvention Office--Patricia Paige (202) 606-0830

Office of Executive Resources--Joyce Edwards (202) 606-1610

Office of Workforce Relations

− Office of Human Resources Development--Sarah Adams (202) 606-2721− Work and Family Program Center--Anise Nelson (202) 606-5520

Retirement and Insurance Service

− Retirement Issues--Mary Ellen Wilson (202) 606-0299− Insurance Issues--Abby Block (202) 606-0004

Workforce Compensation and Performance Service

− Classifications Programs Division--Judy Davis (202) 606-2950− Performance Management and Incentive Awards Division--

Peggy Higgins (202) 606-2720− Pay and Leave Administration Division--Jerome Mikowicz (202) 606-2858

App. C. Clinger-Cohen

C-1

Appendix C.Clinger-Cohen Competencies (IT Functions)

The Clinger-Cohen Act, Section 5002 (3), defines information technology as follows:

“(A) The term "information technology", with respect to an executive agency meansequipment or interconnected system or subsystem of equipment, that is used in theautomatic acquisition, storage, manipulation, management, movement, control, display,switching, interchange, transmission, or reception of data or information by theexecutive agency. For purposes of the preceding sentence, equipment is used by anexecutive agency if the equipment is used by the executive agency directly or is used by acontractor under a contract with the executive agency which (i) requires the use of suchequipment, or (ii) requires the use, to a significant extent, of such equipment in theperformance of a service or the furnishing of a product.

“(B) The term "information technology" includes computers, ancillary equipment,software, firmware and similar procedures, services (including support services), andrelated resources.

“(C) Notwithstanding subparagraphs (A) and (B), the term "information technology"does not include any equipment that is acquired by a Federal contractor incidental to aFederal contract.”

The Clinger-Cohen Core Competencies have been endorsed to serve as a baseline to assistgovernment agencies in complying with Section 5125(C)(3) of the Clinger-Cohen Act.(Revised 9/25/98).

1.0 Policy and Organizational

1.1 Department/Agency missions, organization, function, policies, procedures

1.2 Governing laws and regulations (e.g., Clinger-Cohen, GPRA, PRA)

1.3 Federal government decision-making, policy making process and budgetformulation and execution process

1.4 Linkages and interrelationships among Agency Heads, COO, CIO, and CFOfunctions

1.5 Intergovernmental programs, policies, and processes

1.6 Privacy and security

1.7 Information Management (new)

2.0 Leadership/Managerial

2.1 Defining roles, skill sets, and responsibilities of Senior IRM Officials, CIO,IRM staff and stakeholders

2.2 Methods for building federal IT management and technical staff expertise

C-2

2.3 Competency testing – standards, certification, and performance assessment

2.4 Partnership/team-building techniques

2.5 Personnel performance management techniques

2.6 Practices which attract and retain qualified IT personnel

3.0 Process/Change Management

3.1 Modeling and simulation tools and methods

3.2 Quality improvement models and methods

3.3 Techniques/models of organizational development and change

3.4 Techniques/models of process management and control models and methods

4.0 Information Resources Strategy and Planning

4.1 IT baseline assessment analysis

4.2 Interdepartmental, interagency IT functional analysis

4.3 IT planning methodologies

4.4 Contingency planning

4.5 Monitoring and evaluation methods and techniques

5.0 IT Performance Assessment: Models and Methods

5.1 GPRA and IT: Measuring the business value of IT

5.2 Monitoring and measuring new system development: When and how to “pullthe plug” on systems

5.3 Measuring IT success: practical and impractical approaches

5.4 Processes and tools for creating, administering, and analyzing surveyquestionnaires

5.5 Techniques for defining and selecting effective performance measures

5.6 Examples of and criteria for performance evaluation

5.7 Managing IT reviews and oversight processes

6.0 Project/Program Management

6.1 Project scope/requirements management

6.2 Project integration management

6.3 Project time/cost/performance management

6.4 Project quality management

6.5 Project risk management

6.6 Project procurement management

App. C. Clinger-Cohen

C-3

7.0 Capital Planning and Investment Assessment

7.1 Best practices

7.2 Cost benefit, economic, and risk analysis

7.3 Risk management models and methods

7.4 Weighing benefits of alternative IT investments

7.5 Capital investment analysis models and methods

7.6 Business case analysis

7.7 Integrating performance with mission and budget process

7.8 Investment review process

7.9 Intergovernmental, Federal, State, and Local projects

8.0 Acquisition

8.1 Alternative functional approaches (necessity, government, IT) analysis

8.2 Alternative acquisition models

8.3 Streamlined acquisition methodologies

8.4 Post-award IT contract management models and methods, including pastperformance evaluation

8.5 IT acquisition best practices

9.0 Technical

9.1 Information Systems Architectures client/server, collaborative processing,telecommunications

9.2 Emerging/Developing technologies

9.3 Information delivery technology (internet, intranet, kiosks, etc.)

9.4 Security policy, disaster recovery, and business resumption

9.5 System life cycle

9.6 Software development

9.7 Data management

10.0 Desk Top Technology Tools (new)

C-4

App. D. IA Functions

D-1

Appendix D.Information Assurance Functions

All information assurance functions described below include both tactical/deployablesystems and strategic or fixed systems. Those that are tied to privileged access are identifiedas a CRITICAL FUNCTION and are shaded.

Function A – IA Certification and Accreditation

•••• Systems

•••• People

•••• Equipment

•••• Procedures/Policies

•••• Security

Function B – IA Training/Education•••• Professors/Instructors

•••• Course Developers

•••• IA Training Administration

Function C – IA Management•••• Unit/Base/HQ Levels

•••• Acquisition of Secure Systems

•••• Policy/Procedure

•••• Development

•••• Implementation

•••• Compliance

•••• Enforcement

•••• Asset Accountability

Function D – System/Network Administration and Operations [critical function]•••• Configuration Control

•••• Installation

•••• Operations and Maintenance

D-2

•••• System Selection

•••• Access Control

•••• Response/Recovery/Reconstitution

•••• Incident Response

•••• Operations Monitoring and Analysis

•••• Countermeasures

Function E – Systems Security Engineering•••• Research

•••• Design


•••• IA Planning and Control

•••• IA Requirements Definition

•••• IA Design Support

•••• IA Operations Analysis

•••• Life Cycle IA Support

•••• IA Risk Management

Function F – IA Systems/Product Acquisition•••• Procurement

•••• Technical Expertise

Function G – Computer/Network Crime [critical function]•••• Forensic Analysis

•••• Criminal Prosecution/Investigation

Function H – Cryptography•••• Operations

•••• Management

Function I – Threat and Vulnerability Assessment [critical function]•••• Red-Teaming

•••• Penetration Testing

•••• Threat Analysis

FUNCTION J – COMPUTER EMERGENCY RESPONSE TEAM (CERT) [critical function]•••• Clearinghouse for collection of technical vulnerability information

App. D. IA Functions

D-3

•••• Clearinghouse for collection of incident reports

•••• Provide technical expertise to mitigate and reconstitute to victim site following anevent/incident

•••• Disseminate vulnerability information with mitigation solutions (when possible)

•••• Disseminate threat information

•••• Coordinate with other CERTs

•••• Coordinate with appropriate law enforcement agencies

•••• Coordinate with appropriate counterintelligence agencies

Function K – Web Security [critical function]•••• Information management

•••• Information systems administration

•••• Information system security

D-4

App. E. Data Call Results

E-1

Appendix E.Data Call Results

E.1 Introduction

The IPT developed a data call with the intent to characterize critical aspects of the IA workforce. The purpose of this Appendix is to delineate the results of the data call and to explainhow the results were derived to provide a context for understanding what the data represent.Overall, the data call was not as complete and systematic as was hoped for, but it did providesignificant insights into the IA work force.

The discussion presented here will cover three areas, the approach, the data received (and itslimitations), and the insights into the IA work force derived from that data.

E.1.1 Approach

The IPT determined that it wanted the following information about the IA workforce:

•••• What personnel sources perform IA functions: active military, reserve military,civilians, contractors?

•••• How is the IA workforce distributed across the IA functions?

•••• How much of the IA workforce performs IA functions on a full-time basis and howmuch on a part-time basis?

•••• What portion of the IA workforce does not consist of IT professionals.

•••• How much of the IA workforce has received formal training (either computer basedor classroom) and how much has received only on-the-job training.

The IPT then developed a survey instrument to collect this information at the unit level.Because of the large size and complexity of DoD a sampling strategy was designed so thatthe responses to the survey from only selected sites could be used to characterize identifiablesegments of the DoD community. The personnel occupation codes that identify personnelas IT professionals are listed in a third section below.

E.1.2 Survey Instruments

The data call survey consists of three instruments in which the participating unitscharacterize their IA work force

•••• Instrument 1 – a snap-shot of the current IA work force

E-2

•••• Instrument 2 – a judgment about the IA work force currently required

•••• Instrument 3 – a projection of the IA work force requirements for year 2004

The survey instruments asked the respondents several important questions:

•••• How many people perform which IA functions in their unit?

•••• Is IA a full-time or part-time job for these people?

•••• Have these people received training for the IA functions they perform?

•••• What categories of personnel are used (e.g., active or reserve military, civilian,contractor)?

In particular, the survey tracks individual persons by the functions performed and thepercentage of time performing that function. At the time of the data call, only ten IAfunctions had been defined. The Web Security function was added as a critical IA functionafter the data call was completed. Therefore, there is no data on the web security function.The ten functions defined in the survey instruments are listed in Table 5.

Table 5. IA Functions

Function A - IA Certification and Accreditation Function F - IA Systems/Product Acquisition

Function B - IA Training/Education Function G - Computer/Network Crime

Function C - IA Management Function H- Cryptography

Function D - System/Network Administration andOperations

Function I - Threat and Vulnerability Assessment

Function E - Systems Security Engineering Function J - Computer Emergency ResponseTeams (CERT)

E.1.3 Sampling Strategy

DoD is a complex organization of 1.4 million active duty military, 0.7 million civilians, and0.9 million Selected Reserves and National Guard forces. It consists of four Services andover twenty Defense Agencies. The Services alone contain over 40,000 organizational units.Although approximately 90% of DoD reside within the U.S., the remaining personnel aredeployed worldwide. Directly querying all of these people and organizations is not apractical way to characterize the IA work force.

Thus, a sampling strategy was adopted. Sampling requires that DoD be partitioned intomutually exclusive and exhaustive subsets, where the IA work force usage is thought to berelatively homogeneous within each subset. Organizational units appear to be a suitablebasis for a partition for three reasons:

•••• Organizational units are identifiable within DoD personnel data, and thus theirpopulations and locations are readily determined

•••• Organizational units form a mutually exclusive and exhaustive group (i.e., eachperson is in one and only one unit), and


E-3

•••• Information Technology and Information Assurance services are plausibly related tolocal area networks associated directly with organizational units

A first estimate is that the partition should be according to three factors,

•••• Component

•••• Mission (as indicated by major command affiliation), and

•••• Size of the organizational element

Once such a partition is defined, the numbers of personnel and the numbers of units in eachcell of the partition can be readily determined. By sending the survey to a suitable numberof units within each cell the responses can be used to characterize the populations withinthat cell. Any divergence of the responses within a cell can be used as an indicator that thecells are not sufficiently homogeneous, and additional division may be warranted. If resultsare missing from a cell or cells, assumptions can be made with regard to how an adjacent cellmay characterize the missing cell, and projections would remain feasible, albeit with reducedconfidence and accuracy. Component-wide and even DoD-wide results are then obtainableby totaling the projections for each cell in each Component and across all of DoD. Of theelements of the partition, the Service and Defense Agencies are readily identified. Also,major commands or the equivalent can divide each of the Services. The Marine Corps doesnot have major commands, per se, but the Marine Reporting Unit Code can be used toidentify units as combat, acquisition, logistics and so forth. Across DoD the majorcommands break into the five functional divisions shown in Figure 1.

Unit size is readily available to support a partition of DoD because organizational units arealways subsets of individual major commands. Across the 30,000 organizational units inDoD, the median unit size is approximately 270. An analysis of unit sizes in DoD suggeststhe following breakdown is useful:

•••• Large units (500 or more people)

•••• Medium units (100-499 people) (straddles the median; bulk of the population)

•••• Small units (10-99 people)

•••• Tiny units (less than 10 people) (most are in shared locations; special case where tinyunits are solitary (Tiny-s)

E-4

Figure 1. Total Service Population Divided by Type of Major Command

The partition by Service and major command function is significant because experience hasshown that Service procedures frequently vary along those lines. However, the effect of unitsize on IA usage appears to be more intuitively obvious. Large units are expected to employfull time, professional system administrators and related positions, and they are expected toservice a relatively large user base. On the other hand, small units are expected to requirelarger numbers of part time IA positions, working less intensively on an individual basis andserving a relatively limited user base.

These slices across DoD partition it into the framework shown in Figure 2. The multiplepages for each case is intended to show multiple Services, broken down on the basis offunction and unit size. A “case” is a single cell in this figure, and it corresponds to a choiceof a single Service, a single function, and a single size of unit.

When the cells for each of these cases were examined to determine the numbers of units andthe populations of each, it became clear that not all of the cases were of equal significance,nor were an equal number of samples needed for each. For the large units, the numbers ofunits in any one function could be limited, and in many cases one or two samples appearedto be reasonable for the case. In other cases the numbers of units were small enough forsome functions that the cells were combined to make viable groups. The resulting numbersof cells and samples for the Services are summarized in Figure 3.

Several additional cases were considered beyond the Service infrastructures. The Navy andMarine Corps each had significant numbers of tactical forces, either assigned to ships, orassigned to tactical units that were stationed on ships. These were treated as a separate casefrom the Service infrastructures.

The Defense Agencies each fell into a single one of the functional categories, and they weretreated separately. Units were somewhat more problematic for the Agencies, with nocentralized lists of unit names and addresses maintained by the Defense Manpower DataCenter, as had been the case for the Services. However, the combination of Component and

Total Service Population Represented 1.79M

Combat

45%

Support

21%

Training

18%

Acq & Log

14%

Intel

2%


E-5

geographic location appeared to be a viable surrogate for the agencies. The overall samplingplan for the IA requirements is summarized in Table 6.

Tiny Units<10 people

Medium Units100-500 people

Large Units>500 people

Serv

ices

Small Units10-100 people

Serv

ices

Serv

ices

Serv

ices

Intel

Acquisition

Training

CombatForces

Support Intel

Acquisition

Training

CombatForces

Support Intel

Acquisition

Training

CombatForces

Support

Intel

Acquisition

Training

CombatForces

Support

Figure 2. Framework for IA Results

Acquisition/ Logi stics Inte lligence Combat

Force s Support Training Large ( ≥≥≥≥ 500 ppl) Medium (100-499 ppl) Small (10-99 ppl) Tiny (<10 ppl) Tiny-Solitary (<10, a lone)

Framework for IA Requirements

Function Size

Army Units 18 Cases, 405 S amples

Navy Units 27 Cases, 280 S amples

Marine Corp Units 14 Cases, 95 Samples

Air Force Units 19 Cases, 350 S amples

Total for the Services: 78 cases, 1,130 samples

Figure 3. Summary of Service Infrastructure in IA Sampling Requirements

E-6

Table 6. Sampling Plan for IA Data Call

Cases Samples

Infrastructure 68+ 1,050+Services

Afloat/Tactical 10+ 80+

Agencies 17+ 65+

Grand Total for Survey 95+ 1, 195+

The Services and Agencies were provided the details of this sampling plan to aid theircollection of data and to help ensure an adequate number of samples and cases would bereturned to make the analysis feasible and meaningful.

E.1.4 Identification of IT Professionals Within the IA Workforce

One of the objectives of the data call was to determine whether the IA work force consistsmostly of IT professionals, or personnel from other specialty areas assigned IA duties on acollateral basis. Thus, for each individual identified as performing an IA function, themilitary occupational specialty code or designator was requested. Those personnel withspecialty codes listed in Table 7 were considered IT professionals.

Table 7. IT Occupational Codes Within DoD

TypeOccupation

Code Title

Army IT Specialists

Enlisted 74B Information Systems Operator-Analyst

Enlisted 74C Record Telecommunications Operator-Maintainer

Enlisted 74G Telecommunications Computer Operator-Maintainer

Enlisted 74Z Information Systems

Officer 25A Signal, General

Officer 53A Systems Automation Management

Warrant 250N Network Management Technician

Warrant 251A Data Processing Technician

Navy IT Specialists

Enlisted RM Radiomen

Enlisted NEC2735 Information Systems Administrator

Enlisted NEC2779 Information Systems Security Manager

Enlisted NEC2780 Network Security Vulnerability Technician

Enlisted NEC27871 Advanced Network Analyst


E-7

TypeOccupation

Code Title

LDO 6420 Automated Data Processing

Warrant 7420 Automated Data Processing

Officer 0045 (Secondary MOS) Command and Control

Officer 0046 (Secondary MOS) Information Warfare

Officer 0055 (Secondary MOS) Electronic Engineering

Officer 0076 (Secondary MOS) Space Systems Operations

Officer 0077 (Secondary MOS) Space Systems Engineering

Officer 0089 (Secondary MOS) Information Technology Management

Officer 0091 (Secondary MOS) Information Technology Science

Marine Corps IT Specialists

Enlisted 4066 Small Computer Systems Specialist

Officer 0602 Communications Information Systems Officer

Air Force IT Specialists

Enlisted 3A0 Series Information Management

Enlisted 3C0 Series Communications-Computer Systems

Enlisted 3C1 Series Radio Communication Systems

Enlisted 3C2 Series Communications-Computer Systems Control

Enlisted 3C3 Series Communications-Computer Systems Planning andImplementation

Officer 33S Series Communications and Information

Civilian IT Specialists

GS 0332 Computer Operation

GS 0334 Computer Specialist

GS 0335 Computer Clerk and Assistant Series

E.2 Data Received

A summary of data received for analysis is shown in Table 8. The table lists all of theServices and Agencies participating in the data call, and two sets of columns, one for thedata requested, and one for the data received. Within each set of columns, the reference tocases represents the number of cases analogous to the cells in Figure 2, and the reference to

E-8

samples indicated the total number of units to be queried—roughly 10 to 30 samples percase in the initial data call design.

Table 8. Data Call Response Received4

Data Requested Data Received

Cases Samples Cases Samples

Army 18 405 16 50

Navy 27 280 21 25

Air Force 19 350 11 59

Marine Corps 14 95 5 11

BMDO 1 1 Entire agency

DIA 1 1 1 1

DISA 3 25 * 15

DLA 5 45 * 36

DoD IG 3 16 Entire agency

Joint Staff Did not specify * 18

NIMA 1 1 Entire agency

NSA 1 1 Incomplete

WHS 1 5 1 5

The Services, listed in the top section of the table made some effort to follow the samplingstrategy outlined above. Because the Services contain the great majority of DoD personneland IT systems, their results are central to this data call.

The Agencies generally did not use the sampling strategy because the local definitions ofunit identification code were either unavailable for the effort or the Agencies chose not touse them. In some cases Agencies did a full survey, and in other cases, they developedalternative sampling strategies. The intelligence agencies (DIA, NSA and NIMA) carried outtheir own surveys and provided limited results for the study. The results from the DoD IGshowed that the IA usage pattern was entirely different5 from the rest of DoD, and thereforetheir results were not combined with the other organizations. Results from the Agenciescovered through this effort are discussed below when and where results could be madeavailable in a form similar to the Service data analyzed.

4 Data received did not fit the proposed sampling structure.5 The DoD IG reported approximately 30 work years involved in professional investigations of computer

intrusions, and 0.6 work years in system administration for the entire agency. All other DoD organizationsshowed significant usage of most IA functions and primary system administration, but practically noinvestigation of computer intrusions. Thus, the DoD IG results were essentially disjoint from the otherdata.


E-9

The response of the Services to the data call was at best incomplete, and this significantlyreduced the confidence that can be placed in the results of the effort. Two kinds ofproblems are evident in Table 8:

•••• Service data failed to cover many of the cases requested, except perhaps for theArmy, which did cover 16 of 18 cases identified in the sampling framework. OtherServices data failed to cover a significant fraction of the cases in the framework: 22percent (Navy), 42 percent (Air Force) and 64 percent (Marine Corps) of the cases inthe framework. These cases were identified in the Framework because IA usage waspresumed to differ for each case, and the lack of coverage means that significantfractions of each Service are not sampled and are being represented by an averagebased on the samples that were taken.

•••• Whereas the initial plan called for 10 to 20 cases per sample, the actual data reflectsbetween 1 and 5 cases for sample, depending on the Service. Such low samplingrates increase the chance that atypical units may be projected to represent somecases. Thus the simple statistical reliability of the data call is minimal.

The main problem with the low response rates shown in Table 3 is the potential they raisefor flawed (non-representative) data collection. The uncontrolled potential for bias becauseof the low reporting rates appears to be the primary source of error in the sampling, eventhough the statistical reliability of the data is also marginal at best. Uncontrolled biasescould be manifested in several ways:

•••• Units with minimal investment in IA may be more likely to respond than units withmore significant IA investment because the reports are easier to do—there is less toreport. This effect would tend to understate the actual DoD IA usage.

•••• Units engaged in a local IA debate might be more likely to respond to the data call ifthey view it as a means of furthering one side of the debate. This could affect theaccounting, but the bias could either overstate or understate DoD IA usage.

The objective of the analysis was to use the data from the data call, despite its limitations, tomake the best representation of IA usage across all of DoD. In defining the sample cases(Figure 3), it was realized that some cases covered relatively small portions of DoD, whereasother cases covered relatively large numbers of people. Thus we needed to weight theresults for each case in an appropriate manner so that samples representative of largepopulations are weighted more than those that are representative of small populations. Apersonnel database, covering all DoD active military and direct hire civilians was used toestablish both the framework and the weightings appropriate for each case in the framework.

The analysis for each case in the framework used the simple assumption that all of the unitsin each case had the same ratio of IA counts (e.g., for people, work years) to unit populationas did the units that were sampled in the data call for that case. Since the population of eachcase is known from the DoD personnel database, the IA totals follow directly from theassumption.

A complication arises for the cases for which no samples were provided. In those cases, theratio of the IA counts to the population that was sampled was used to characterize thepopulation that was not sampled. This assumption is likely to introduce error, but no

E-10

practical alternatives are evident. Table 9 summarizes the scaling that was used in thisprocess. For the cases where data were available, two percent (32,885/1,538,313) of thecovered population were actually sampled. The covered cases are then, in effect, scaled upby another 30 percent (2 million/1.5 million) to cover the portion of DoD in the cases forwhich the Services provided no data.

In the counts of IA personnel and resources provided by the Services, approximately 10percent of the work were actually provided by reserves or contract personnel. Neithercontractors nor reserves were included in the personnel counts used to scale the results.Because of the methodology used (described above), the total counts of IA work years or IApersonnel would remain valid as projections of DoD usage of IA. However, includingcontractors and reservists could lead to an overstatement of IA as a fraction of the totalService-generated work years, by approximately 10 percent, because contractors and reserveswere not included in the figure for total Service work years.

Table 9. Population Count Used to Scale the Services

Personnel Counts

Service

IA PersonnelReported in Data

Call

Total Personnelfrom Units

Reporting in DataCall

Total Personnelin Cases with

Data Available

Total Personnelin Service(Military +Civilian)

Army 779 14,087 653,925 711,299

Navy 326 7,901 384,587 568,100

Air Force 596 7,106 435,000 543,047

Marine Corps 248 4,189 64,801 183,659

Total 1,949 33,283 1,538,313 2,006105


E-11

E.3 Results

As a result of the data call, insights were developed into four areas of DoD IA usage:

•••• Resources by IA function

•••• Part time vs. full time IA support

•••• Training background for IA personnel

•••• Types of personnel providing IA support

E.3.1 Resources by IA Function

The first topic of interest in DoD IA is the resource distribution in IA functions. In Figure4, the resource distribution for Services IA work years over the ten functions defined in theoriginal survey is displayed as percentages of the total work years generated by each Service.Despite the limitations in the data, a pattern clearly emerges that is similar across theServices.

Figure 4. IA Resource Distribution by Function for the Services

IA c

ert/a

ccrd

t

IA tr

ain/

edu

IA m

gmt

Sys/

net a

dmin

Sys

sec

eng

IA s

ys a

cq

Com

p/ne

t crim

e

Cry

pto

Thre

at/v

uln

CER

Ts

NavyMarine CorpsArmyAir Force

0.0%

1.0%

2.0%

3.0%

4.0%

Perc

enta

ge o

f tot

al m

anpo

wer

E-12

For each Service, System/Network Administration dominates the list of functions andgenerally accounts for about half of the total effort:

•••• The Air Force, with 3.7% of its total manpower in System/Network Administration,has the largest per capita system administrators. This is equivalent to havingapproximately one system administrator for every 27 people. Several limitationsdiscussed above (Section 2) could overstate the Air Force usage of IA based on thisdata.

•••• The Army is next with 3.5%, which translates to approximately one systemadministrator for every 30 people.

•••• The Marine Corps has the next highest System/Network Administration usage at3% (one system administrator for every 34 people). The Marine Corps data sufferfrom low response rate to the data call, resulting in unreliable scaling.

•••• The Navy has the lowest IA resource of the Services. Only 2% of Navy’s totalmanpower is in System/Network Administration. Therefore, there is one systemadministrator for every 50 people. The Navy also had very low data response rate,with attendant unreliable scaling.

Of the original ten IA functions, four are defined as critical: System/NetworkAdministration and Operations; Computer/Network Crime; Threat and VulnerabilityAssessment; and Computer Emergency Response Team (CERT).

Table 10 summarizes the results for Service IA resources. The first two columns indicatethe total work year resources associated with IA, and the fraction of all Service-generatedwork years that they represent. The last two columns show critical functions resources as apercentage of the Service total IA resources. System/Network Administration takes uproughly half of the total IA resource. The other critical IA functions use only a smallfraction of the total IA resource.

Table 10. Summary of IA Service Resources

Critical IA(% of Total IA)

ServiceTotal IA

Work-Years% of Total

Service Work-YearsSystem/Network

Admin & Ops. Other Critical IA

Army 48k 6.8% 51% 1%

Navy 24k 4.2% 48% 1%

Air Force 38k 7.0% 54% 5%

Marine Corps 8k 4.5% 64% 1%

The Agencies typically show the same type of distribution as the Services for IA functionsexcept for Agencies with specialized missions. These special cases—DIA, NIMA, DISA,and DoD IG—are presented below. DIA and NIMA are both intelligence agencies, andshow System/Network Administration as the dominant IA usage in Figure 5 and Figure 6.Fully 91% of the IA at DIA is for System/Network Administration, and 73% for NIMA.


E-13

Figure 5. Relative Distribution of DIA IA Resource by Function

Figure 6. Relative Distribution of NIMA IA Resources by Function

DIA IA resource

0%10%20%30%40%50%60%70%80%90%

100%

IA cert/accrdt

IA train/edu

IA mgmt

Sys/net admin

Sys sec eng

IA sys acq

Comp/net crime

Crypto

Threat/vulnCERTs

Perc

enta

ge o

f tot

al IA

NIMA IA resource (total 246 workyears)

0%10%20%30%40%50%60%70%80%90%

100%

IA cert/accrdt

IA train/edu

IA mgmt

Sys/net admin

Sys sec eng

IA sys acq

Comp/net crime

Crypto

Threat/vulnCERTs

Perc

enta

ge o

f tot

al IA

E-14

DISA total is shown in Figure 7. DISA is a case where the UICs maintained by DMDC donot reflect the DISA organization, but the DISA Organization & Manpower Division,provided an alternative approach. In particular, some of the DISA units actually provide IAservice for other groups within DISA. The total number of personnel within theorganizations served by the sampled units is 2,917. These IA personnel are applied againstthe whole DISA customer base in determining the ratio of IA to total people. DISA’s IAusage remains very high at approximately 14 percent (compared to 4 to 7 percent for theServices). The difference in the distribution of IA resources can be expected to be due tothe specialized mission of DISA. DISA WESTHEM did not submit any samples in the datacall, and the results might have been different if WESTHEM were included.

DoD IG is also a specialized case because of its criminal investigative nature. DoD IGaddresses Computer/Network Crimes almost exclusively. GS-1811 professional criminalinvestigators do all investigations. Because the data are so disjoint, the DoD IG data are notaggregated with other data in this report.

Figure 7. Reported DISA IA Resources by Function

E.3.2 Part-Time vs. Full-Time IA Support

Another topic of interest is the distribution of full-time and part-time IA personnel. Morefull-timers may promote efficiency and possibly reduce training and certification pipe lines.Figure 8 shows the break down of the IA personnel for the Services by 10% intervals of theamount of time spent on IA. The scale is chosen to have a maximum of 40,000 people forArmy, Navy, and Air Force to aid in comparison between Services.

•••• The Marine Corps is plotted on a smaller scale simply due to its smaller size.

•••• With the exception of the Navy, the Services have more than half of their IAworkers doing at least 75% time on IA. The Navy however, has its people spreadthroughout the spectrum.

DISA IA resource (total 402 workyears)

0

20

40

60

80

100

120

IA cert/accrdt

IA train/edu

IA mgmt

Sys/net admin

Sys sec eng

IA sys acq

Comp/net crime

Crypto

Threat/vulnCERTs

Wor

kyea

rs


E-15

•••• Some of the Agencies have similar distribution as Army, Air Force and MarineCorps. A plot showing their distribution is shown in Figure 9.

Some of the other Agencies have peculiar distribution of full-time vs. part-time IA workerscompared with the other groups already covered. The results for these Agencies are plottedin Figure 9.

Figure 8. Personnel vs. Time Spent on IA for the Services

Army IA personnel (65k total)

k5k

10k15k20k25k30k35k40k

10%20%

30%40%

50%60%

70%80%

90%100%

Time spent on IA

Num

ber o

f per

sonn

el

Navy IA personnel (49k total)

k5k

10k15k20k25k30k35k40k

10%20%

30%40%

50%60%

70%80%

90%100%

Time spent on IA

Num

ber o

f per

sonn

el

Air Force IA personnel (58k total)

k5k

10k15k20k25k30k35k40k

10%20%

30%40%

50%60%

70%80%

90%100%

Time spent on IA

Num

ber o

f per

sonn

el

Marine Corps IA personnel (13k total)

k

2k

4k

6k

8k

10k

10%20%

30%40%

50%60%

70%80%

90%100%

Time spent on IA

Num

ber o

f per

sonn

el

E-16

Figure 9. Full-Time vs. Part-Time Distribution for DIA, DISA, JCS, and DLA

E.3.3 Training Background for IA Personnel

The final two topics covered in this analysis address training issues. The first part, trainingbackground, addresses whether the IA worker has had formal training for the IA function towhich he or she is assigned. A person is considered to have had formal training if he or shehas gone through either class room training or computer based training (CBT). Contractorsare assumed to be formally trained if the IA function they perform is specified in thecontract.

A distinction should be drawn between someone who is performing a critical function,defined in Section 3.1, as opposed to someone who is not. It is much more important thatthe person doing a critical IA function be properly trained. For the plots presented here, the

DIA IA personnel

0%10%20%30%40%50%60%70%

10%

20%

30%

40%

50%

60% 70%

80%

90%10

0%

Time spent on IA

Perc

enta

ge o

f pe

rson

nel

DISA IA personnel (515 represented)

0%10%20%30%40%50%60%70%

10%

20%

30%

40%

50% 60%

70%

80%

90%10

0%

Time spent on IA

Perc

enta

ge o

f pe

rson

nel

JCS IA personnel (381 sample total)

0%10%20%30%40%50%60%70%

10%

20%

30%

40%

50% 60%

70%

80%

90%10

0%

Time spent on IA

Perc

enta

ge o

f pe

rson

nel

DLA IA personnel (486 total)

0%10%20%30%40%50%60%70%

10%

20%

30%

40%

50% 60%

70%

80%

90%10

0%

Time spent on IA

Perc

enta

ge o

f pe

rson

nel


E-17

raw responses, rather than case-weighted results, will be used to facilitate comparison amongComponents. Figure 10 shows the level of training for the Services.

Figure 10. Level of Training for the Services

Some observations based on Figure 10 include:

•••• Training has been provided to ~80% of the IA workforce (not including Navy)

•••• Personnel with critical IA functions out-number personnel without critical IAfunctions by roughly 4 to 1 (again, not including Navy)

The data appear to show the Navy with fewer people trained than the other Services, and amuch lower usage ratio of critical to non-critical functions. It must be emphasized again thatthe Navy data call response rate is very low, and the data may simply be invalid with regardto these issues. The Navy training statistics may, however, be linked to the use of part timepersonnel for critical functions. Figure 10 shows that the Navy uses part time personnel to agreater extent than the other Services. The low level of training indicated here does warrantfurther examination.

Army training

0

100

200

300

400

500

600

700

Critical Non critical

Criticality of IA function

Num

ber o

f per

sonn

el

No formal trainingFormal training

Navy training

020406080

100120140160180200


Criticality of IA functionNu

mbe

r of p

erso

nnel


Air Force training

0

100

200

300

400

500



Num

ber o

f per

sonn

el


Marine Corps training

0255075

100125150175200



Num

ber

of p

erso

nnel


E-18

The level of training for the Agencies appears to be similar to that of the Services. Table 11shows a summary of level of training for the Agencies by the percentage trained. The datafor DIA was not included because the training field was not completed consistently for thepersonnel identified on the DIA data call.

Table 11. Level of Training for the Agencies

Percentage Trained

Critical IA Non critical IA

BMDO 94% 13%

DISA 87% 96%

DLA 64% 78%

DoD IG 91% None

Joint Staff 75% 64%

NIMA 99% 0%

WHS 81% 70%

E.3.4 Types of Personnel Providing IA Support

The question of personnel background is harder to track. One of the problems stems fromthe way the data call instrument was crafted. The respondents were asked to report theOccupational Code for the IA personnel identified. This resulted in inconsistent answersdue to the different interpretation of the question being asked. The Army and the Air Forcehad the best and most consistent response to the question of occupational series, whereasthe Navy and the Marine Corps responses did not provide usable data. Better response mayhave been possible had the desired Occupational Codes for IT professionals been identifieda priori and given to the survey respondents to choose.

The organizations in the Services and Agencies with data that supported a personnelbackground breakdown are shown in Figure 11 and Figure 12. Four categories of personneltypes are considered here:

•••• Contractors (can be considered most likely to be IT professionals)

•••• IT Professionals (personnel identified by their Occupational Codes)

•••• Other Specialists (all other Occupational Codes)

•••• Unspecified (no Occupational Code provided).


E-19

Figure 11. Personnel Background Breakdown for Army and Air Force

Figure 12. Personnel Background for Selected DoD Agencies

Personnel background - Army

9%

38%47%

6%

ContractorsIT professionalsOther specialtiesUnspecified

Personnel background - Air Force

5%

60%

26%

9%


Personnel background - DLA

12%

59%

26%

3%


Personnel background - NIMA

31%

21%

45%

3%


Personnel background - BMDO

77%

15%

8%

ContractorsIT professionalsOther specialties

Personnel background - WHS

23%

18%

38%

21%


E-20

App. F. Military IT Occupational Specialties

F-1

Appendix F.Military IT Occupational Specialties

Background

General

The military personnel subgroup of the IPT reviewed the personnel management of thosepersonnel who perform IT/IA functions. The initial goal was to use the results of the datacall to see what personnel policies, practices, etc., should be established in the Department.The subgroup was not able to fulfill that goal due to the lack of timeliness of the requireddata. Therefore, it focused its efforts on management of established military IT occupationalspecialties in each Service. Though the term “information technology” is defined, who is anIT professional is widely interpreted. Therefore, the occupational specialties discussed inthis appendix represent those that the Services consider to be their IT occupationalspecialists.

Career Fields

Each of the Services has established IT occupational specialties for both officers and enlistedpersonnel who are managed by career field managers. The Army, Air Force, and MarineCorps are specialized to the extent that their professional personnel serve tours primarily intheir career fields and have established career tracks. Career progression allow both officersand enlisted to progress from junior enlisted and officer ranks to the E-8/9 level for enlistedand O-6/7 level for officers. In some cases, merging of skill ratings or specialties at upperpay grades has been accomplished to allow for continued progression.

The Navy manages its professional IT officer force through a subspecialty system. Officersin other career fields receive training and/or experience in IT fields before becomingsubspecialists. Ideally, they alternate tours between their primary specialty and theirsubspecialty fields, but compete for promotion in their primary occupational field. TheNavy’s management of its enlisted IT professionals is similar. The Navy identifies itspersonnel through an NEC system with Radioman the primary rating in the IT skill areas.However, other occupational specialties such as Cryptologic Technician (CT) andFirecontrol Technician (FT) may source into IA/IT NECs. Unlike officers, enlistedpersonnel with IT NECs can normally expect to be assigned by their NEC specialty.Competition for promotion, however, is done against the parent rating.

Retention

Retention of experienced IT military personnel is a concern for each of the Services. In thelast three years, an increase in the number of experienced IT personnel leaving the military

F-2

has been documented. Reasons cited include PERSTEMPO/OPTEMPO, private sectoropportunities, retirement benefits, and career progression (in some cases).

Each of the Services has recognized the difficulties in retaining experienced personnel, andhas taken a number of actions to boost retention to retain experienced personnel and meetend-strength requirements. These actions include:

•••• Selective Reenlistment Bonuses (SRB). Each of the Services is using SRB toretain enlisted personnel. The overall trend in the last three years has to been toincrease the multiple offered. Increasingly, the Services are offering SRB to secondterm personnel (6 to 10 years of service) and careerists (10 to 14 years of service).The effectiveness of retaining personnel using SRB has varied by Service. The Armyand Navy have reported favorable “take rates,” while the Air Force and MarineCorps are more guarded in their assessments of its effectiveness.

SRB is budgeted annually in the POM for each of the Services. Each of the Servicesmanages a master SRB budget, and money is allocated subject to Service priorities.Because retention is an issue throughout DoD, the amount of money allocated toSRB within DoD has increased significantly in the last three years.

While there is a reenlistment bonus for enlisted personnel, there is not an equivalentfor officers in the IT workforce.

•••• Education. Each of the Services is using advanced education to assist in retainingpersonnel. The Services allow personnel to obtain a fully funded degree in returnfor a service obligation. It should be noted, however, that educational programs aremost often completed during a service member’s “off duty” time, and can bedifficult to start and/or successfully complete given service commitments such asdeployment.

•••• Commercial certification. The Navy, Air Force, and Marine Corps are lookingclosely at allowing personnel to participate in commercial certification programs. Inreturn for receiving commercial certification from companies such as Microsoft,personnel agree to reenlist or extend their contracts. The Navy is expecting to train2,000 Microsoft Certified Systems Engineers per year starting in FY 99. The AirForce is currently working a similar pilot program that will begin in FY 00. In FY01, they will assess the effectiveness to determine if the program should be used AirForce wide. The Marine Corps has initiated a program, but is still assessing whetherthe program is going to be successful in retaining personnel.

•••• Lateral conversions. Each of the Services is allowing personnel in other careerfields, particularly those that are being disestablished or are over-manned, to laterallyconvert into IT specialties if they meet the skill requirements. This program hasbeen generally successful in each of the Services.

•••• Prior service personnel. Each of the Services is allowing personnel who have leftthe Service to return if they meet certain guidelines. However, relatively fewpersonnel are being recruited/retained in this manner.

•••• Continuation beyond separation gates. Each of the Services is accepting andapproving, on a case-by-case basis, requests for personnel who are non-selected for


F-3

promotion but are approaching high year tenure gates to stay in the Service forspecific periods of time.

•••• Steering Groups. Beyond the use of career field managers, the Air Force recentlyestablished an officer steering group composed of senior personnel from the ITcommunities to review the management of their officer/enlisted/civilian IT careerfields. Though not a new approach, the group made positive recommendations tothe management of the officer corps that have been adopted by the Service. TheNavy has also used the same approach. It has established an Executive SteeringGroup to oversee the career IT training of all Department of the Navy personnel aspart of its Computers, Information Systems, and Networks (CISN) strategy.

Accessions

Each of the Services uses computer models to assist in determining the appropriate numberof personnel to recruit for IT career fields. While personnel with the prerequisite ability tobecome IT occupational specialists are actively sought, the Services’ goal is to recruitpersonnel for the Service first. Once recruited, uncommitted personnel undergoaptitude/physical screening before being classified for an IT occupational specialty or otherpositions. Enlistment incentives (e.g., bonuses, college funds) are used in varying degrees bythe Services (Navy and Air Force) to attract personnel into IT occupational specialties.

The working group reviewed the accession goals versus actual accessions for each of theServices for the last three years:

•••• The Army, Navy, and Marine Corps each reported that they met their accession goalsfor IT officers and enlisted personnel for FYs 96 through 98.

•••• The Air Force reported that it met its goals for accessing personnel for enlisted IToccupational specialties for the same time frame. The Air Force, however, has notbeen able to access enough IT officers. The Air Force requirement to sustain the ITofficer career field has been 414 personnel but has fallen short of that goal in eachof the last three years (FY 96 – 340; FY 97 – 300; FY 98 –285). In addition, 436 ITpersonnel retired or separated from the Air Force during the same period. TheService is reporting that it is currently on target to meet its accession goal for officersin FY 99, and is projecting to recruit 390 personnel in FY 00.

•••• Each of the other Services reported that it is on track to meet its accession goals forofficer and enlisted IT occupational specialties for FY 99.

The use of waivers to meet accession goals was also reviewed. Each of the Services reportedthat it used waivers, that waivers assist in meeting goals, but that waivers were given onlywhen other information identified that applicant as having good potential.

In those cases where retention efforts do not appear to be adequate enough to meetprojected end-strength requirements, the Services have increased the number of personnelrecruited. In some cases, that number has been increased beyond the number of billetsauthorized for the lower paygrades. This approach ensures not only that there are adequatenumbers of personnel to meet end-strength requirements, but also provides a larger cohort

F-4

to retain from. The ability of the Services to expand training capacity for additionalpersonnel may become a limiting factor.

Although none of the Services has specific policies, programs or advertising campaigns torecruit IT occupational specialists, some initiatives are being reviewed and/or pursued by theServices. The Navy recently instituted a Tech Prep program. In this program, studentsattend a community college for six to twelve months, followed by training in the Navy.College credit is earned in the Navy’s school pipeline. Ultimately, personnel earn anassociate’s degree, and the Navy gains an already trained enlistee. Along the same line,developing an internship type program where students can gain experience in IT career fieldsduring summers and other school vacations is an idea under review.

The Navy has revamped curricula for IT at the Naval Postgraduate School and the NavalAcademy. The Air Force has done the same at the Air Force Academy and the Air ForceInstitute of Technology. In addition, the Air Force is changing the training curriculum forits enlisted personnel in IT specialties to focus more on networking and IA.

Focusing ROTC dollars toward IT curricula is an idea that was also reviewed. The conceptis to target ROTC scholarships to undergraduate IT degrees. The Air Force already allowsup to 13% of its ROTC scholarships to be offered for computer science and computerengineering degrees. However, personnel may still select other Service career fields atgraduation such as aviation. The Services want a more experienced workforce atcommencement of military service.

Allowing personnel to enter the military through a lateral entry program similar to thatcurrently in place for health care professionals was also reviewed but bears further analysisprior to being pursued. The idea has merit because it would provide an option to recruitexperienced personnel from the civilian sector, but other considerations, such as areasonable expectation that the program would succeed, necessitate additional study.

Air Force

Enlisted

The Air Force has several established and closely managed enlisted career fields that allowadequate career progression in the enlisted ranks. In the last three years, the Air Force hasobserved a decline in retention in many of the IT specific enlisted career fields, withPERSTEMPO and private sector opportunities cited as the primary reasons. With a goal ofretaining 55% of its first term personnel, 75% of the second term personnel, and 95% ofthe career personnel, the Air Force has implemented various programs to improve retentionof experienced personnel and meet end-strength requirements. These include (1) increasingSRB for first- and second-term personnel, and providing a first-ever SRB for careerists; (2)using commercial certification as a reenlistment tool; and (3) allowing personnel with priorservice to return to active duty. Additional manpower is needed to meet the challenge of theproliferation of networks and databases, and Air Force career field managers are pursuingauthorization to conduct a manpower study to document the requirement. Additionalmanpower should assist in reducing PERSTEMPO.


F-5

To meet end-strength requirements, the Air Force has increased the numbers of personnelbeing accessed, and, and is using enlistment bonuses for four- and six-year first termenlistees.

The following tables provide retention rates by terms of enlistment by career field:

Table 12. Information Management (3A)

Year Skill 1st Term % 2nd Term % Career % Billets Inventory SRB

FY 96 3A 80 80 96 12,700 13,500 0/0/0

FY 97 3A 60 75 95 12,000 12,700 0/0/0

FY 98 3A 66 73 93 11,732 12,236 0/0/0

FY 99* 3A 69 66 90 11,400 12,100 0/0/0

*FY99Q1

Remarks: Information managers are currently being trained as workgroup managers (theywork at the unit level to assist personnel with computer applications, minor PC repairs, etc.).No SRB is offered; however, the current retention trend is being monitored closely.

Table 13. Communications/Computer Systems Operator (3C)

Year Skill 1st Term % 2nd Term % Career % Billets Inventory

FY 96 3C 61 68 91 N/A 15,556

FY 97 3C 52 62 91 14,886 14,389

FY 98 3C 49 54 87 14,181 13,285

FY 99* 3C 33 65 85 14,301 12,890

Remarks: This table provides an overall view of the 3C career field. The tables followingprovide breakdowns by each individual Air Force specialty.

F-6

Table 14. Computer-Computer Systems Operations (3C0X1)


FY 96 3COX1 60 71 95 N/A 8,100 .5/.5/0

FY 97 3COX1 55 63 92 8,163 7,710 1/1.5/0

FY 98 3COX1 58 56 90 8,223 7,311 2/3.5/1

FY 99* 3COX1 37 72 86 8,262 7,226 2/4/1

*FY99Q1; N/A – not available

Remarks: This skill area consists of Communication-Computer operators who areperforming network administration and/or information assurance functions in networkcontrol centers, as well as PC and network repairs. This skill area is undermanned, andretention has not met expectations among all terms over the last three years. SRB has beenoffered and increased each year.

Table 15. Computer-Computer Systems Programming (3C0X2)


FY 96 3COX2 66 61 83 2,847 2,702 .5/.5/0

FY 97 3COX2 45 44 87 2,435 2,588 .5/.5/0

FY 98 3COX2 32 28 79 1,911 2,005 2/3.5/1.5

FY 99* 3COX2 15 46 67 1,890 1,937 2/4/.5

*FY99Q1

Remarks: This skill area consists of software programmers. Retention has not metexpectations among all terms over the last three years. SRB has been offered.

Table 16. Radio Communications Systems (3C1X1)


FY 96 3C1X1 76 81 95 N/A 1,166 0/0/0

FY 97 3C1X1 53 83 94 974 987 0/0/0

FY 98 3C1X1 55 82 96 879 858 0/0/0

FY 99* 3C1X1 25 71 93 875 858 0/0/0


Remarks: This skill area consists of radio operators who manage radio networks. No SRBis offered; however, the current retention trend is being monitored closely.


F-7

Table 17. Electronics Spectrum Management (3C1X2)


FY 96 3C1X2 - 66 90 N/A 81 0/0/0

FY 97 3C1X2 - 75 91 76 83 0/0/0

FY 98 3C1X2 - 33 100 77 87 0/0/0

FY 99* 3C1X2 - 100 100 77 89 0/0/0


Remarks: This skill area consists of Electromagnetic Spectrum Managers. They coordinatethe use of frequencies within the electronic spectrum. There are no first-term billets in thisskill area.

Table 18. Computer-Computer Systems Control (3C2X1)


FY 96 3C2X1 54 56 88 N/A 2,220 1.5/1/0

FY 97 3C2X1 48 51 86 2,169 1,988 1.5/2/0

FY 98 3C2X1 47 23 85 2,156 1,891 2/.3/.5

FY 99* 3C2X1 31 46 90 2,166 1,843 2/4/1


Remarks: This skill area consists of Communications Tech Controllers who also work innetwork control centers. This skill area is more technically oriented than the 3C0X1 careerfield and work communications circuits. This skill area has been undermanned over the lastthree years, and retention has not met Service expectations. SRB has been offered.

Table 19. Planning and Implementation (3C3X1)


FY 96 3C3X1 86 70 98 746 767 1/1/0

FY 97 3C3X1 59 83 95 728 722 1/1/0

FY 98 3C3X1 53 54 87 693 656 1/1/0

FY 99* 3C3X1 60 83 94 695 653 1/2/0

*FY99Q1

Remarks: This skill area consists of communications-computer plans and implementationspecialists. They manage communications-computer projects, working with baseorganizations to ensure work is scheduled and projects are completed. With increasednumbers of projects involving networks or adding systems to networks, these personnelhave become integral to planning and implementing networks at bases. Retention hasgradually declined over the last three years. SRB has been offered.

F-8

Officers

The primary IT career field in the Air Force is Communications & Information SystemsOfficer (33S). Officers in the career field 33S specialize as either Communications &Information (33SX) Officers or Communications/Computer Engineers (33SXA). Each hasan established career path and progression. Issues within the officer workforce haveincluded career field progression, adequate training, and retention. To assist in dealing withvarious community issues, the Air Force stood up an O-6 Steering Group that made severalrecommendations that were adopted, including development of an officer career guide,assigning more officers to operational missions as their first assignment, and improving basicand advanced officer training. Additionally, the 33XSA officer career path was changed tomerge with the 33S community at the O-4 level.

Retention is an issue within the Air Force Officer IT career workforce, particularly with33SXA officers. The Air Force is pursuing bonuses for all 33S captains, and is allowingcaptains non-selected for promotion to stay in the Service to 20 years, and majors non-selected for promotion to stay in the Service to 24 years.

The 33S community is receiving its fair share of officers as compared to other missionsupport career fields in the Air Force. However, retention has been consistently lower thanother mission support career fields over the past three years.

The following tables provide retention rates and manning data for officer career fields.

Table 20. Communications and Information Officer (33S)

Year Skill CPT %Mission

Support % Billets InventoryOverall

Manning

FY 96 33S 39 62 5,025 4,425 88

FY 97 33S 43 68 5,054 4,821 95

FY 98 33S 34 64 4,720 4,419 93

FY 99* 33S 58 58 4,613 4,087 88

*FY99Q1

Remarks: The Air Force measures retention at the O-3 level as its benchmark to meet end-strength/career field requirements. Mission support information is provided as a comparisontool.

Table 21. Communications and Information Systems (33SX)

Year Skill Billets Inventory

FY 96 33SX 4,603 4,094

FY 97 33SX 4,657 4,535

FY 98 33SX 4,371 4,170

FY 99* 33SX 4,282 3,866

*Q1 FY 99

Remarks: The Air Force does not track retention for 33SX officers separately.


F-9

Table 22. Communications/Computer Systems Engineer (33XSA)

Year Skill Billets Inventory

FY 96 33SXA 422 331

FY 97 33SXA 397 286

FY 98 33SXA 349 249

FY 99* 33SXA 331 221

*Q1 FY 99

Remarks: The Air Force does not track retention for 33SXA officers separately. Manninghas been a concern.

Army

Enlisted

Career Management Field (CMF) 74 is the Army’s enlisted career field for InformationOperations. Military Occupational Specialties (MOSs) within CMF 74 include InformationSystems Operator Analyst (74B), Telecommunications Operator-Maintainer (74C),Telecommunications Computer Operator-Maintainer (74G), and Information Systems Chief(74Z). Personnel enter the career field in MOS 74B, 74C, or 74G, and can expect toprogress in rank from E1 to E7. Each MOS merges into MOS 74Z beginning at E8 andprogressing through E8 to E9.

Assignments and promotions are made at the Personnel Command (PERSCOM) inAlexandria, Virginia. Force structure is the responsibility of the Office of the Chief Signal atFort Gordon, Georgia.

The Army has not experienced significant shortfalls in meeting end-strength requirements.The Army offers SRB as a reenlistment bonus, and has allowed personnel to laterally convertfrom other MOSs to MOS 74. This year, the Army established a target of 125 billets forlateral conversion to MOS 74, and filled 118 within the first two weeks. Like the otherServices, the Army does allow prior-service personnel to return to MOS 74, and useseducational programs such as tuition assistance as a reenlistment tool.

Accessions for MOS 74 have not been an issue. Personnel are easily recruited by therecruiting command and accession goals met despite the fact that this particular specialty isnot offered an enlistment bonus or the Army College Fund.

F-10

The following tables provide retention rates by terms of enlistment by MOS.

Table 23. Information Systems Operator Analyst (74B)


FY 96 74B 51.5 71.8 66.4 2,386* 2,248* 0/0/0

FY 97 74B 59.7 67.2 64.7 2,373 2,350 0/0/0

FY 98 74B 55.2 64.8 45.8 2,481 2,395 1/1/0

FY 99* 74B 47.1 70.6 70.0 2,780 2,484 1/1/0

*Projected Data

Remarks: Overall, retention among 74B personnel has been close to the Army average forfirst-term personnel. Retention among second-term and career personnel has not been anissue either. There have been some periodic shortfalls within the community when billetincreases have been authorized.

Table 24. Telecommunications Operator-Maintainer (74C)


FY 96 74C 35.1 62.9 59.3 2,615* 2,630* 0/0/0

FY 97 74C 57.1 75.7 56.1 2,527 2,398 1/0/0

FY 98 74C 65.7 65.6 42.4 2,425 2,240 .5/0/0

FY 99* 74C 52.7 67.9 60.2 1,955 1,938 1/0/0

*Projected Data

Remarks: Overall, retention among 74C personnel has been close to the Army average forfirst-term personnel. Retention among second-term and career personnel has not been anissue either. Some billet decreases have been observed and are expected to continue as theArmy switches from Autodin to DMS.

Table 25. Telecommunications Computer Operator- Maintainer (74G)


FY 96 74G 41.4 65.4 60.6 372* 382* 0/0/0

FY 97 74G 37.5 57.1 43.3 376 317 1/0/0

FY 98 74G 43.8 66.7 41.2 362 338 0/0/0

FY 99* 74G 42.9 55.6 80 320 325 0/0/0

*Projected Data

Remarks: Overall, retention among 74G personnel has been close to the Army average.This skill area will be gradually phased out over the next two years, and most personnel willbe absorbed into FA 74G. Some additional training may be required.


F-11

Table 26. Information Systems Chief (74Z)

Year Skill Career % Billets Inventory SRB

FY 96 74Z 37.3 120* 114* 0

FY 97 74Z 43.5 119 120 0

FY 98 74Z 37.9 133 153 0

FY99* 74Z 47.8 137 127 0

*Projected Data

Remarks: Retention has not been an issue within MOS 74Z.

Officers

Under OPMS XXI, which was implemented in 1998, development of company gradeofficers will continue to follow the same pattern as it does today. Upon selection to Major,however, OPMS XXI restructures the Army competitive category by grouping interrelatedbranches and functional areas into management categories (Career Fields). Officers will bedeveloped, managed, and promoted with other officers in the same Career Field. EachCareer Field has its own distinct development track for officers, with varied branchqualification requirements for professional military education, civil schooling, training, andmilitary experience. The Army established the Information Operations (IO) Career Field(CF) within a four Career Field based management system, to respond to requirements ofthe 21st century information age. The IO CF brings together information-related disciplines(Functional Areas) by combining existing functional areas and new ones into a single CF.Included in these disciplines is FA 53 (Information Systems Management) that currentlyexists as an IT occupational specialty and a new IT specialty FA 24 (Information SystemsEngineer) that is being established. Branch 25A (Signal Information Systems), thoughseparate, is an IT-related career field. Within the Warrant Officer occupational specialties,there are MOSC 250B (Tactical Automated Network Technician) and MOSC 251A (DataProcessing Technician).

There are no special retention and/or incentive pays for any of the officers in the IT-relatedcareer fields. However, private sector opportunities and OPTEMPO is straining retentiongoals among company grade BR 25’s officers.

The following tables provide selective retention data for officer career fields.

Table 27. Information Systems Management (AOC 53A)

Year Skill MAJ % LTC % COL % Billets Inventory

FY 96 53A 84.6 75.0 100 476 1,499 (74)

FY 97 53A 82.0 96.3 50 467 1,454 (79)

FY 98 53A 92.8 83.3 50 462 1,375 (85)

FY 99 53A N/A N/A N/A 431 1,256 (136)

( ) – single-tracked personnel

F-12

Remarks: FA 53s billet structure begins at Major. Prior to implementation of OPMS XXI,FA 53 consisted of officers who were “single-tracked” (i.e., serve in only FA 53 billets) andofficers who were “dual-tracked” (serve in alternating tours between a primary field (e.g.,infantry) and secondary field (e.g., automation)). Use of both types of officers ensured thatthere was adequate manning to meet the Army’s requirements, and a 2 to 2.5 to 1 ratio intotal number of officers was desired. With the initiation of OPMS XXI, the “dual-track”system will be phased out. Officers will serve from their tenth year of service untilretirement in their technical field. These officers will compete for promotion against othertechnical officers only. Overall, this will result in better developed and trained IT officersand higher promotion potential.

Table 28. Signal (Information Systems) Operations (AOC 25A)

Year Skill LT % CPT % MAJ % LTC % COL % Billets Inventory

FY 96 25A 90.7 87.7 87.0 88.8 86.7 2,740 2,841

FY 97 25A 90.9 87.4 91.4 92.6 84.3 2,745 2,759

FY 98 25A 90.3 88.3 95.0 89.0 82.8 2,761 2,772

FY 99* 25A 96.2 95.7 97.1 91.7 91.7 2,681 3,453

*As of March 1999

Remarks: FA25A officers work at all levels of command and staff and are engaged in theinstallation, operation, administration, and maintenance of information systems. FA 25Aretention has closely paralleled Army retention rates over the last three years. The Service isconcerned over manning at the captain level due to decreases in the continuation rates ofcaptains. Several initiatives are being taken to reverse attrition trends.

Table 29. Network Management Technician (MOS 250N)

Year Skill WO1 % CWO2 % CWO3 % CWO4 % CWO5 % Billets Inventory

FY 96 250N N/A 93 83 78 100 340 296

FY 97 250N 100 93 91 82 100 303 276

FY 98 250N 100 88 70 76 100 295 251

FY 99 250N 100 92 89 96 90 295 242

Remarks: MOS 250N warrant officers manage computer networks at major installations.Retention is monitored closely. Contributing factors are the relatively few numbers ofpersonnel and retirement eligibility at the CWO3 paygrade.


F-13

Table 30. Automation Technician (MOS 251A)

Year Skill WO1 % CWO2 % CWO3 % CWO4 % CWO5 % Billets Inventory

FY 96 251A N/A 94 89 75 N/A 115 98

FY 97 251A 100 90 70 72 100 110 77

FY 98 251A 100 94 80 88 100 110 82

FY 99 251A 100 100 60 80 0 115 104

Remarks: MOS 251A officers are data processing technicians and are normally assigned tomajor headquarters/staffs to ensure automation needs are met. Retention is monitoredclosely. Relatively few numbers of personnel in the career field and retirement eligibility atthe CWO3 level are contributing factors. There is only one billet at the CWO5 level.

Navy

Enlisted

Over the past three years, the Navy has conducted an extensive review/restructuring of itsenlisted IT career force. This resulted in the merger of the Data Processor (DP) rating andthe Radioman (RM) rating into the RM rating, and creation of new NECs (Naval EnlistedClassification) to meet the needs of IT requirements. New NECs include the following:

•••• Information Systems Administrator (NEC 2735)

•••• Network Security Vulnerability Technician (NEC 2780)

•••• Information Systems Security Manager (NEC 2779)

•••• Advanced Network Analyst (NEC 2781)

The Navy manages its enlisted IT career force through NECs sourced from differentenlisted ratings. The primary rating that sources the IT career field is Radioman (RM).However, other career fields such as Firecontrol Technician (FT) and CryptologicTechnician (CT) can earn IT NECs. IT NECs may be earned by completing formal trainingor a combination of formal training, on-the-job training (OJT), and experience. The Navynormally tracks personnel retention by their source rating. Overall management of the ITNECs is done by an Enlisted Community Manager. However, it should be noted that asailor may possess more than one NEC and this complicates tracking personnel retention byNEC. However, personnel with an IT NEC can normally (but not always) expect to beassigned to a billet requiring their respective NEC.

Extensive restructuring has resulted in a dramatic increase in the numbers of billets requiringpersonnel with an IT NEC. For this reason all of the IT NECs appear undermanned. TheNavy is currently growing its workforce to match requirements but does not expect to meetthem for the next two to three years. The rate at which the schoolhouses can train personnelwill determine how quickly requirements can be met.

F-14

In addition to structuring its workforce, the Navy has restructured its schoolhouses for thenew NEC requirements. Details are provided in the tables below.

The Navy has offered SRB for specific NECs. Given anecdotal feedback, the Navy assessesthat the FY 99 SRB offering is having the desired effect. To boost retention, experience,and competency of its workforce, the Navy is pursuing commercial certification for sailors,advanced education programs such as tuition assistance, and accepting lateral conversionsfrom other career fields into IT NECs.

The following tables provide statistical data for specific NECs.

Table 31. Radioman


FY 96 RM 42.7 56.4 57.3 13,210 12,324 2.0/0/0

FY 97 RM 40.7 57.8 55.0 11,353 11,337 3.0/0/0

FY 98 RM 36.5 52.3 51.4 12,176 11,315 3.5/0/0

Remarks: The RM rating merged with the DP rating in October 1998. The DP rating wasthe primary IT source prior to the merger. Data for the DP rating prior to the merger is notavailable. RM retention figures for FY 99 are higher than Navy averages of 27.7% (1st

Term), 43.2% (2nd Term), and 37.7% (Career).

Table 32. Information Systems Administrator (NEC 2735)

Year Skill Billets Inventory SRB

FY 98 2735 1798 668 4.5/2.5/1.5

FY 99 2735 TBD (1) TBD (1) 4.5/3.0/2.0

(1) Pending the results of a manpower review due in FY 99.

Remarks: This NEC (created in FY 98) fulfills requirements for trained technicians toadminister information systems. The focus is on network administration, to include aworking knowledge of network operating systems. The target groups of sailors arepaygrades E-4/5, with at least three years of fleet/field IT experience. The NEC is currentlygrowing inventory to match the billet base. Because of schoolhouse throughput limitations,the NEC may currently be earned through OJT (subject to certain restrictions).

Deploying battle group IT personnel are being taught a six-week systems administratorcourse that is bringing them up to speed on the IT systems being installed on their ships.Personnel are not awarded an NEC, but with added experience, they may receive it via OJT.


F-15

Table 33. Network Security Vulnerability Technician (NEC2780)


FY 98 2780 307 16

FY 99 2780 TBD (1) 16 5.0/3.0/2.0

(1): Pending the results of a manpower review due in FY 99.

Remarks: This NEC fulfills the requirement for trained technicians to secure informationsystems. The focus is on all facets of INFOSEC and IO Protection, to include informationcomputer security and expansion, system protection, Windows Clients security management,Novell security management, Microsoft Exchange server security, common Unix threats andsecurity tools, protocols and services, router security configuration, firewall configuration,and secure network server configuration. The targeted group is Sailors in paygrades E-5through E-8 with extensive fleet/field experience as a systems administrator. Inventory isbeing grown to match the billet base.

Table 34. Information Systems Security Manager (NEC 2779)


FY 98 2779 TBD (1) 1 3.5/2.0/1.0

FY 99 2779 TBD (1) 3 0*

*Expected to be offered in FY 00.

(1): Pending the results of a manpower review due in FY 99.

Remarks: This NEC (created in FY 98) is geared toward E-7 to E-9 personnel and fulfillsthe requirement for trained technical managers to oversee information systems. Focus ofthe NEC is network policy and oversight with emphasis on performance vice awareness, toinclude policy, IW/IO/IA, data encryption, vulnerabilities and countermeasures, securitytools, auditing and access control management, life cycle and configuration management,risk analysis, contingency planning, and certification and accreditation.

Personnel must be qualified as either an NEC 2735 or 2780 (or civilian equivalent) as aprerequisite. The course is three weeks in length. The first course is in progress, and istaught in Pensacola, Florida. Mobile Training Teams will teach future courses at fleetconcentration areas. Officers and civilians may receive this training if job requirementsdictate.

Table 35. Advanced Network Analyst (NEC 2781)


FY 98 2781 TBD 1 0

FY 99 2781 TBD

Remarks: This NEC (created in FY 98) fulfills the requirement for trained technicians tomanage information systems. The focus of the NEC is network management across

F-16

heterogeneous operating systems, to include systems design, hardware and softwareinstallation, system maintenance, network performance optimization, and enterprisenetworking labs. Targeted sailors are those in paygrades E-6 through E-8, with 2735fleet/field experience. The course is five weeks in length and is currently taught in DamNeck, Virginia. SRB will be offered starting in FY00.

Officers

Unlike the other Services, the Navy does not have a specific career field for officers in IT.Rather, the Navy manages its officer IT workforce through a subspecialty system. There areseveral subspecialties (see table below) in IT and billets have been programmed from Ensignto Admiral. Officers in other career fields acquire an IT subspecialty by acquiring advancededucation, experience, or both. The Navy’s goal is to assign an officer who has an ITsubspecialty to billets identified for an IT subspecialist in at least every other tour.

Table 36. Navy Officer IT Subspecialties

0045X Command and Control (C2)

0046X Information Warfare (IW)

0076X Space Systems Operations

0089X Information Technology Management

0091X Computer Science

The Navy reviewed its management of the IT workforce over the past couple of years.There is no single career path (designator) that provides officers to the IT workforce. ITofficers come from various designators and filling subspecialty billets such as IT rarely drivesassignments.

This has led to concern that the right person may not always be available to fill an IT billet.In an effort to ameliorate this problem and produce more broadly educated ITsubspecialists, the Navy (N6) has consolidated the IT related curricula at the NavalPostgraduate School (NPS) into a single curriculum with specialty tracks. This will ensure allgraduates of any specific tracks have a common core of knowledge that will enable them toperform effectively in any IT subspecialty billet.

N6 has also sponsored a new IT curriculum at NPS that focuses on the warfighter and isdesigned specifically for the unrestricted line (warfare) designators. The Navy tracksretention by designator. Since there is no IT designator, tracking retention of personnel withIT subspecialties is difficult. The Navy is reviewing the possibility of merging some othercareer fields into an IT designator, but no decision has been reached at this time.

In addition to curricular changes at NPS, the Navy has installed an IT curriculum at theNaval Academy and developed a Center for Executive Education at NPS where it offerssenior-level (Flag and SES) personnel courses in Information Age issues. The Navy has alsoundertaken a review of the IT billet structure to ensure billets are properly coded, and the


F-17

N6 organization is now actively interfacing with the assignment of officers at the NavalPersonnel Command to ensure the most qualified officers are assigned to IT related billets.

The Navy also has the Limited Duty Officer (Designator 6420) and Chief Warrant Officer(Designator 7420) communities who serve as Automated Data Processing (ADP) Officerson large ships (e.g., aircraft carriers and large amphibious ships) and major shoreinstallations. There are 32 LDO 6420 billets and the manning has been maintained over100% over the last three years (currently at 117%). There are 42 CWO 7420 billets andmanning has been maintained at 100% as well. Both groups are sourced from the enlistedranks and a vast majority has greater than 15 years of active duty service. Retention has notbeen an issue.

Table 37. Navy Officer Subspecialties – Billets vs. Inventory

IT SubspecialtiesO1-3

BilletsO1-3OFF

O4Billets

O-4OFF

O5Billets

O-5OFF

O6Billets

O-6OFF

0045X 43 20 27 68 61 95 38 60

0046X 31 26 81 58 54 102 3 46

0076X 60 79 44 120 32 115 8 52

0089X 488 272 128 353 111 294 41 103

0091X 61 63 44 96 29 70 4 25

Total 683 460 324 695 287 676 94 286

Remarks: A 3 to 1 ratio between officers and billets is desired.

Marine Corps

Enlisted

The Marine Corps initiated a restructure of its Information Technology career fieldsapproximately two years ago. This resulted in the merger of the Communications Officerand Data Systems Officer into the Communication Information Systems Officer. Similaractions to merge the Communications and Data Systems enlisted fields are in progress.MOSs discussed here reflect the current pre-merge status. Small Computer SystemsSpecialist (MOS 4066) is now the primary MOS for enlisted personnel. A Small ComputerSystems Specialist receives eight weeks of formal IT training at Twenty-nine Palms,California, with approximately one week of focused IA training. A Marine in this career fieldmay progress from E-1 to E-9.

Computer Security Specialist (MOS 4075) and Data Network Technician (MOS 4068) aretwo additional MOSs that may be earned upon completion of follow-on schooling. TheseMOSs are managed as subspecialties and not separate career fields.

A challenge the Marine Corps faced in restructuring its enlisted career fields is in training.The basic training provided to a Small Computer Systems Specialist is broad based but not

F-18

specific enough in any one area. As a result, the Marine Corps is now reviewing thecurriculum and is examining options that would allow more specialization at the entry level,including an IA MOS. Additionally, the Marine Corps is also investigating distance learningand commercial training to address the many emerging IT requirements.

Overall, first-term population and retention are a concern for the Marine Corps. SRB hasbeen offered although retention rates among first-term enlisted personnel have beenrelatively low. Careerist retention is also becoming a concern as well, particularly at the 8to12 year mark. A noticeable reduction in careerists staying in the Marine Corps past the 20-year point has been observed, and the Marine Corps is now offering zone “C” SRB throughthe remainder of FY 00. In FY 99, the Marine Corps is projecting that end-strengthrequirements will be met, but believes it will have a 5 to 25% shortfall in meeting the ITworkforce requirements (depending on paygrade).

The following table provides retention information for the enlisted MOS.

Table 38. Small Computer Systems Specialist (MOS 4066)


FY 96 4066 117 107 133 880 1,010 4/0/0

FY 97 4066 67 95 104 1,549 1,211 4/0/0

FY 98 4066 70 103 82 1,526 1,217 4/0/0

FY 99* 4066 81 88 93 1,545 1,302 4/3/0

*As of Jan 99

Remarks: The Marine Corps tracks retention in several ways; the most prevalent is basedon a tool known as “grade adjusted recapitulation” or GAR, which accommodates all billetrequirements as well as other “overhead requirements” such as entry level training, recruitingduty, and drill instructor duty. The figures above reflect the total workforce on hand vs.GAR. The Marine Corps strives to maintain GAR at 85% to 110%. During FY 97, thenumber of billets in the 4066 MOS was increased twice. Therefore, retention numbersappear low for that reason.

Officers

Communication Information Systems Officer (MOS 0602), the primary IT career field forofficers, was formed three years ago by combining the communications and data systemsMOSs as noted above. Officers receive 23 weeks of formal school in Quantico, Virginia,with approximately one week focused on IA. Like the enlisted ratings, the training isconsidered broad based, with not specific enough training in any one area. Consequently,the Marine Corps is reviewing its training curriculum for officers as well. The billet structurefor Communication Information Systems Officers allows for a Marine to progress to O-6/O-7 over the course of a career.

Because of the recent formation of the Communication Information Systems Officer MOS,retention has been difficult to ascertain. However, early feedback from Marines in the fieldpoints to problems on the horizon.


F-19

Table 39. Communications Information Systems Officer (MOS 0602)

Year Skill LT % CAPT % MAJ % LTCOL % Billets Inventory

FY 96 0602 83 75 64 57 1,043 744

FY 97 0602 63 99 71 66 951 722

FY 98 0602 75 103 77 68 958 789

FY 99 0602 63 95 72 65 958 715

Conclusions

Each of the Services has structured specialties in IT to meet the needs of the respectiveService. Overall, the Services are meeting end-strength requirements, but each is increasinglychallenged in retaining experienced personnel in both enlisted and officer ranks. There areIT occupational specialties, particularly within the Air Force and Marine Corps, whereretention has not met expectations and is a concern.

SRB is used but could be used to a greater extent by the Services in those cases whereretention is a concern. Current law and policy allow for maximum SRB payments of $45,000and $30,000 respectively, and a multiple of 10 and 6. In those cases where retention is anissue in the enlisted ranks, SRB is not being maximized, nor have waivers to policy beenrequested. Internal Service priorities for allocation of SRB funds may be a factor.

There are no continuation incentives for officers similar to those provided to enlistedpersonnel. For the reasons stated previously and the evolving nature of the IT workforce,long-term continuity appears to be an issue, particularly in the Air Force and Marine Corps.Additional study in this area appears to be warranted and should be conducted to meet FY02 budget submission requirements should such a study recommend continuation pays bepursued.

Given projected shortfalls of skilled IT personnel in the private sector and a continuedrobust economy, retention of experienced personnel is expected to be challenging for theforeseeable future. An OSD-sponsored steering group comprising OSD, Joint Staff, andeach of the Services should be established to focus on military IT personnel issues. Whileeach of the Services has recognized the challenges in retaining experienced military ITpersonnel, and is taking actions to address the problems, many of the approaches are notbeing shared among the Services. Given the long-term situation in the private sector, theServices’ retention of experienced personnel is not likely to disappear soon. A steeringgroup would serve to:

•••• Foster a mutual exchange of informationon accession/retention programs relatedto military IT professionals.

•••• Focus budgeting strategies (e.g.,SRBs, continuation pays, etc.).

•••• Provide a venue for developing newapproaches (e.g., commercial certificationincentives in exchange for additionalservice commitment).

•••• Develop long-term military ITpersonnel strategies.

F-20

App. G. Reqs. For IT/IA Coding

G-1

Appendix G.Requirements for IT/IA Coding of

DoD Manpower/Personnel Databases

General

The CINCs, Services, and Agencies must code all billets/positions (manpower) and people(personnel) that are assigned IT or IA functions. This coding will be a two-character code.

•••• The first character will be an Arabic numeral and will represent the IT workforcecategory. IT Workforce Categories are defined in Attachment 1.

•••• The second character will an alpha character and will represent the IA function code.

IA Function Codes are defined in Attachment 2. Although not likely, it is possible that therecould be seven occurrences of this data element for any billet/position or person. Exceptfor NSA, DIA, and NIMA, this data element must be included in the data provided to theDefense Manpower Data Center (DMDC) on a recurring basis.

These IT workforce categories and IA function codes apply to all military (active andReserve Component) and civilian personnel and billets/positions if they meet the conditionsspecified in the subsequent rules. These function codes are independent of occupationalspecialties. For example, if a cook is assigned the responsibility of system administration,that person will be given the appropriate IA functional code even though the person is notan IT professional.

The coding of the manpower and personnel data is semi-independent of each other. If aperson is assigned an IT and/or an IA function, but this is not a responsibility of the billet orposition, the personnel file will be coded but the manpower file will not be coded. Thereverse is not true. If a billet or position is assigned an IT and/or an IA function, the personshould be assumed to also be assigned the function. In this case, if the manpower file iscoded, then the personnel file must also be coded.

IT codes can be used without IA codes. IA codes always require an IT code.

Codes for both people and positions/billets will reflect only current assignments and will notinclude past experience and/or qualifications.

Vacant civilian positions assigned an IT and/or an IA function will be coded only if it is avalid position. In other words, it must be an authorized position.

G-2

IA Functions

If a person or position/billet is assigned any of the five critical functions (D, G, I, J, or K),no matter how negligible the % of time, the person and/or position/billet must be coded for theapplicable function(s).

If the person and/or position/billet is assigned Function I, Function D code will be used.In other words, the Function I code will not be used (security reasons).

For all other IA functions, the person and/or position/billet will be coded only if the timeassociated with that function represents 25% or more of the time.

IA codes D, G, H, I, J, K will be assigned an IT code of 4.

IT Functions

A billet/position and/or person cannot be coded in IT codes 1, 2, or 3 simultaneously.Only one or none of these codes can be used on a single billet/position and/or person.

A billet/position and/or person that is coded with IT code 6 cannot be coded with anyother IT code.


G-3

Attachment 1

Major IT Workforce Categories

1. CIOs and personnel performing equivalent duties in agencies. Accountable for allagency information resources management activities, promotes effective agencyoperations by encouraging performance-based management, and fosters the effectiveacquisition and use of information technology (IT) in accordance with the Clinger-Cohen Act and other IT-related Acts and Laws. (Detailed critical functions are outlinedin the Clinger-Cohen Core Competency list in Appendix C.)

2. Deputy CIOs and personnel performing equivalent duties in agencies. Supportthe CIO in carrying out information resources management activities and acts on thebehalf of the CIO in his or her absence.

3. CIO staff and personnel performing equivalent duties in agencies. Personnelsupporting the activities of the CIO in carrying out the responsibilities of the CIO office.

4. Technical Personnel such as: (occupational specialties listed below or people orbillets/positions performing functions listed under 9.0 of the Clinger-Cohen CoreCompetencies).

•••• Computer Specialists (including systems/network administrators)

•••• Computer Programmers

•••• Telecommunications Specialists

•••• Computer Engineers

•••• General Engineers (General Engineers performing IT functions)

•••• Electronic Engineers (Electronic Engineers performing IT functions)

•••• Industrial Engineers (Industrial Engineers performing IT functions)

•••• Computer Scientists

5. Information Technology Program/Project Managers /Deputy Program/ProjectManagers. Principal official and centralized authority responsible for the managementof a specific information technology program throughout the system life cycle. Thisincludes the planning, organizing, staffing, controlling, and leading the combined effortsof participating /assigned civilian and military personnel and organizations.

6. Personnel performing Information Technology (IT) Functions (These arepersonnel with primary functions other than IT, but perform some type of IT-related duties at least 25% of their time). Personnel who spend 25% or more of theirtime performing IT functions identified on the Clinger-Cohen Core Competencies List

G-4

Attachment 2

Information Assurance (IA) Functions

All information assurance functions described below include both tactical/deployablesystems and strategic or fixed systems. Those that are tied to privileged access are identifiedas a CRITICAL FUNCTION and are shaded.

Function A – IA Certification and Accreditation

•••• Systems

•••• People

•••• Equipment

•••• Procedures/Policies

•••• Security

Function B – IA Training/Education•••• Professors/Instructors

•••• Course Developers

•••• IA Training Administration

Function C – IA Management•••• Unit/Base/HQ Levels

•••• Acquisition of Secure Systems

•••• Policy/Procedure


•••• Implementation

•••• Compliance

•••• Enforcement

•••• Asset Accountability

Function D – System/Network Administration and Operations [critical function]•••• Configuration Control

•••• Installation

•••• Operations and Maintenance

•••• System Selection

•••• Access Control

•••• Response/Recovery/Reconstitution


G-5

•••• Incident Response

•••• Operations Monitoring and Analysis

•••• Countermeasures

Function E – Systems Security Engineering•••• Research

•••• Design


•••• IA Planning and Control

•••• IA Requirements Definition

•••• IA Design Support

•••• IA Operations Analysis

•••• Life Cycle IA Support

•••• IA Risk Management

Function F – IA Systems/Product Acquisition•••• Procurement

•••• Technical Expertise

Function G – Computer/Network Crime [critical function]•••• Forensic Analysis

•••• Criminal Prosecution/Investigation

Function H – Cryptography•••• Operations

•••• Management

Function I – Threat and Vulnerability Assessment [critical function]•••• Red-Teaming

•••• Penetration Testing

•••• Threat Analysis

FUNCTION J – COMPUTER EMERGENCY RESPONSE TEAM (CERT) [critical function]•••• Clearinghouse for collection of technical vulnerability information

•••• Clearinghouse for collection of incident reports

•••• Provide technical expertise to mitigate and reconstitute to victim site following anevent/incident

G-6

•••• Disseminate vulnerability information with mitigation solutions (when possible)

•••• Disseminate threat information

•••• Coordinate with other CERTs

•••• Coordinate with appropriate law enforcement agencies

•••• Coordinate with appropriate counterintelligence agencies

Function K – Web Security [critical function]•••• Information management

•••• Information systems administration

•••• Information system security

App. H. System/Network Administrators

H-1

Appendix H.Certification Requirements for

System/Network Administrators

H-2

Table 40. Certification Requirements of System/Network Administration & Operations

Function Certification

Performance items6

[Manage, Acquire, Design & Develop, Implement &Operate, Review & Evaluate, Use, Other]

FunctionalSpecification Demo Sign-off Certification Validity

Re-Certification

PrivilegedAccess

Pre-Reqs.or

Equivalent

TopicalAreas

orCourses Knowledge Skills Abilities NIST

NSTISSINo. 4013 Test

On- the-Job Cmd.-Level Admin.

OtherTriggers

Reqs.

& PoliciesSA-L1 0-2 Years OS

ExperienceKnow rudimentarysystem / networkadministrator tasksrelevant to the OS ornetwork device

Manage systemhardware &software.Maintain datastore

Day-to-dayoperations

1D, 2.2D3.5D 3.6D

1, 5 X X Supervisor Every 24Months

MajorSystemsChanges (e.g.,major updates

Requirement: OSCertificationRequired or Enroute

Formal trainingon the OS &CMD language(sys admins) ornetworkprotocols &operatingparameters(networkadmins)

Know OS, commandlanguage, &/ornetwork protocols

Providecommunicationconnectivity &configurenetworkprotocols

Install OSs,applications &peripherals,testing &safeguards

3.2D 3.5D3.3D 3.4D3.5C

1(b) Individual/Station Re-assignments(e.g., OSchange)

Policy: Billetsmust be coded

BackgroundInvestigation(BI)

Maintainexpertise

Policychanges

Policy: part timesys admins mustbe certified

Know normaloperatingparameters ofrelevant systems &applications

Install & verifysoftwarepatches

Recognizeabnormaloperations.Recognizepotential threats

1D 2.2D3.5D

1(b) Policy: maintaincertification & re-certificationrecords

6 Note: This is a list of operational requirements for system & network administrators. Choose applicable Knowledge-Skills-Abilities.


H-3



Performance items6



Re-Certification

PrivilegedAccess

Pre-Reqs.or

Equivalent

TopicalAreas




OtherTriggers

Reqs.

& PoliciesPolicy: Cmdrspecifiesadditional KSAvia annualtraining

Manageaccounts

Know basic system &configurationtroubleshooting

Troubleshootproblems

Troubleshoot userproblems

3.5A 3.5C3.5D

Conduct informal,on-the-spot userassistance &training

2.2D 3.5A 1 (b)

Basic knowledge ofcommand's/organization's network

H-4



Performance items6



Re-Certification

PrivilegedAccess

Pre-Reqs.or

Equivalent

TopicalAreas




OtherTriggers

Reqs.

& PoliciesFormal trainingon IA awareness& commonsystem /networkvulnerabilities

Know most commonvulnerabilities

Ensure security.Protect, detect,react againstsystemincursions

Assist ISSO inaccess controlsecurity (i.e.,passwords,auditing &alarming, etc.)

3.3D 1(b) 1(e)

Know local IAVAprocedures

Understand &react tovulnerabilityalerts (IAVAs)

1D 3.4C 1(a)

Know localprocedures forincident reporting &how to contactsecurity assistance

Receive & initiateincident reports

1D 2.2D3.5D 3.6D

1(a)

Know principles ofprioritizingcustomers &systems; understandimpact of emergencyoperations

Interact withothers

Assist Skill level2 sys admins withemergencyrestoration, surgeplanning & surgeoperations.

3.4D 3.5D 1C

Install emergencyworkarounds, asdirected

3.5A 3.6D 6(a) 5(a)


H-5



Performance items6



Re-Certification

PrivilegedAccess

Pre-Reqs.or

Equivalent

TopicalAreas




OtherTriggers

Reqs.

& PoliciesKnow basicdifferences betweengarrison & deployed(tactical) operatingenvironments

Know how tosafeguard classifieddata

1(b) (a) (d)

Know aboutdestruction plans &the various eventswhich trigger theirexecution

Destructiontechniques

Assist withemergencydestructionplanning &execution

3.6D 1 (b ) 6 (c )

SA-L2 2-5 Years OSExperience

Know how toadminister therelevant OS &application(s) &/ornetworks (systemadministrators).Knowtelecommunications& key mgmt.(networkadministrators)

Interact withothers

Interact withdevelopers,operationscenters, &support personnelto maintainreliableoperations.Continuallymonitor health ofsystem

3.4D 3.5A 5 X X Unit CDR Every 24Months

Major SystemsChanges (e.g.,major updates

Formal trainingrequired orEnroute


Manage systemhardware &software

Individual/Station Re-assignments(e.g., OSchange)

H-6



Performance items6



Re-Certification

PrivilegedAccess

Pre-Reqs.or

Equivalent

TopicalAreas




OtherTriggers

Reqs.

& PoliciesFormal trainingin networking,programminglanguageconcepts &algorithms

Solve complexproblems

Independentlysolve complexnetwork/securityproblems

3.2D 3.4C 4 Policy changes Policy: part timesys admins mustbe certified

Maintain datastore. Ensurethe validity &reliability ofdata files

Explain solutionsfor complexproblems to users& other systemadministrators

3.5A 1 c Policy: maintaincertification & re-certificationrecords

Program in acommandlanguage (sysadmins)

Train Skill Level1 sys admins

3.5A 1c Policy: Cmdrspecifiesadditional KSAvia annualtraining

Formal trainingin firewallmgmt.,intrusiondetection, &security tools

Know associatedvulnerabilities ofcommand's/organization's interconnected& interdependentsystems

Maintainexpertise.Maintaincurrentknowledge onnetworkvulnerabilities& solutions

Systematic &continuousinspection IAWtechnical &securitystandards

2.2D 3.4D3.5C

4c, 3a

Strongcommunications& customerrelations skills

Know networking,algorithms, &program languageconcepts. Know howto program in acommand language;knowtelecommunicationsnetworking, keymgmt., networkdesign, configuration,& interconnections

Implementcomplex OSchanges

3.2D 3.4C 5a, c


H-7



Performance items6



Re-Certification

PrivilegedAccess

Pre-Reqs.or

Equivalent

TopicalAreas




OtherTriggers

Reqs.

& PoliciesKnow how toimplement firewallmgmt., intrusiondetection, &available securitytools

Ensure security.Protect, detect,react againstsystemincursions.

Monitor & ensurethat security hard& softwareoperates properly

3.3D 6, 2 b

Manageaccounts

With ISSO, planmost effective useof security tools

3.4C 4, 6b

Know all interactionswithin domain. Knowhow to identifyabnormal operations

Analyze threats.Identifydifferencesbetween technicalproblems &securityincursions

1D 2.2D 5, 3

Establish &monitor internaldomains &security enclaves

3.4C 1 e

Monitor &balance loadamong servers &networks withinthe domain.Detect &interpret systemabnormalities

3.4D 5c, 6c

H-8



Performance items6



Re-Certification

PrivilegedAccess

Pre-Reqs.or

Equivalent

TopicalAreas




OtherTriggers

Reqs.

& PoliciesTroubleshootProblems

Complextroubleshootingacross allnetworks

3.4D

Scope, plan &implementcountermeasures

3.5C 3.5D 2b,c 3b

Comprehensiveknowledge ofcommand's/organization's network &primary external &internal connectivity

Providecommunicationconnectivity

Plan, supervise,implement, &inspect rapidassimilation ofsurge (crisis)networks

3.4D 3.5A 5a, 6

Knowcommand/agency'smission & priorities.Knowcommand/agency'scritical, essential, &support systems

Protect/recoverinformation fromloss or damage.Conductemergencyrestorral planning& operations

3.5D 5a, 6

Know physical &software interfacesfor priority systems.Understandalternative/backupsystems available forcontinuity ofoperations

Plan, supervise,implement, &inspectemergencyworkarounds &large scalesystem restorrals

3.5D 5a, 6


H-9



Performance items6



Re-Certification

PrivilegedAccess

Pre-Reqs.or

Equivalent

TopicalAreas




OtherTriggers

Reqs.

& PoliciesKnowinfrastructure'scritical nodes &understand effects ofinfrastructure failure

Predictcrisis/attackvulnerabilities &losses, to includeimpact of failedinfrastructure &physicaldestruction ofnetworks/equipment

3.4D 3.5A 5a, 6

Know how to preparefor operations invaried environments(garrison, deployed,etc.)

Requisition &maintainequipmentstocks for variedoperatingenvironments(garrison,field/deployed),as required

Operate in variedenvironments:garrison,deploying, etc.

3.5C 5a, 6

Operate duringelectronic/physical attack

3.5C 3.4C3.3D

5, 6

Know localprocedures forincident reporting &IAVAs

Scope, plan &implementcountermeasuresfrom technicalvulnerabilities

3.5C 3.5D 1a

Know local & DODsecurity policy &standards. Knowhow to handle &safeguard classifieddata

Enforce securitypolicy &procedures.Correctdeficiencies

3.4C 5a, 1a

H-10



Performance items6



Re-Certification

PrivilegedAccess

Pre-Reqs.or

Equivalent

TopicalAreas




OtherTriggers

Reqs.

& PoliciesKnow appropriateweb securitymeasures

1d

Know OPSEC &privacy issues toinclude policies onWEB release/review

Able todifferentiatebetweenappropriate/inappropriate materielfor WEB release

1D2.2D

1d, 1a

Know DoD & localrules of engagement.Working knowledgeof legal implicationsof attack response

Preserveevidence ofattack,tampering

Respond to attackIAW rules ofengagement &applicable law

1D 3.4C3.5A 3.5D

1a

Knows aboutdestruction plans &techniques & whento execute

Physicaldestructiontechniques

Plan &implementemergencydestruction

3.6D 3.5C3.5D

6c

SA-L3 Over 5 Years OSExperience

Knowledge of OSdesign,data/algorithmstructure, machinearchitecture,networking,programminglanguage, &concepts/algorithms.Knowtelecommunications,key mgmt., networkdesign, configuration,& interconnection

Expert mgmt. ofsystemhardware/software & datastore. Expertmgmt. ofapplicationsoftware

Take generaldirection frommgmt. & produceintegratedsecurity solutions/designs

3.4C 3.5D 1a 2a,b

X X Unit CDR Every 24Months

Major SystemsChanges (e.g.,major updates

Formal training/CertificationRequired orEnroute


H-11



Performance items6



Re-Certification

PrivilegedAccess

Pre-Reqs.or

Equivalent

TopicalAreas




OtherTriggers

Reqs.

& PoliciesAt least 5 yearsexperienceadministeringthe relevantOS(s)

Workindependentlyor lead teams toquickly &completely solveproblems

Solve complexproblemsinvolving external& internalassets/issues.Articulatenetwork &command/agencyreqs

3.4C 1a, b Individual/Station Re-assignments(e.g., OSchange)


Fluent in one ormore commandlanguage;competent inone

Know applicableprogramminglanguages & securityvulnerabilities ofthose languages

Maintainexpertise

Policy changes

Formal trainingin OS design,data/algorithmstructure,machinearchitecture,networking,programming, &concepts/algorithms

Ensure security.Protect, detect,react againstsystemincursions


Understand thestrategic view of thenetworkoperation/mission, &interaction with allexternal domains

Providecommunicationconnectivity

Plan & design thesecurityarchitecture

3.5C 3.4C3.5D

2, 4

Tune theperformance ofexisting domains;monitor forattacks

3.3D 1b

H-12



Performance items6



Re-Certification

PrivilegedAccess

Pre-Reqs.or

Equivalent

TopicalAreas




OtherTriggers

Reqs.

& PoliciesStronginterpersonal,organizational,&communicationsskills

In-depth knowledgeof DoD security /IAtraining reqs..

Interact withothers

Train skill levels1, 2

3.5A 1c

Can makeproposals &presentations,write plans &orders

Can makepresentations,write proposals &plans, & interactwith mgmt. &otherorganizations

In-depth knowledgeof local, DoD security& IA policies

Set &/or interpretstandards,securityprocedures &safeguards.Identify & rectifypolicy gaps. Set,adjust auditpriorities

3.5A 3.5C3.5D 3.6D

4c, 3a

Advise CDR on IA& INFOSECissues. Suggestperformance &securityimprovements

3.2D 3.3D2.2D

3a 2a, b

Advise Publicaffairs & localwebmasters onWEB securityissues

3.2D 3.3D2.2D

1d


H-13



Performance items6



Re-Certification

PrivilegedAccess

Pre-Reqs.or

Equivalent

TopicalAreas




OtherTriggers

Reqs.

& PoliciesIn-depth knowledgeon limits of response& DOD/local rules ofengagement

Analyze ITsecurity laws,vulnerabilities, &recognize thelegalramifications ofattack responses.Interpretappropriate rulesof engagement

1D 3.4C3.4D 3.5A

4a, b, c 2c, b

Know how to design& implementnetwork defense In-depth. Assess,manage, & plan thecountermeasureimplementation of atechnicalvulnerability

Lead teams totackle complexsecurity problems(certifiers &developers). Planlarge scaleimplementation/installation ofsecurity devices &upgrades

3.2D 3.3D3.4C

Know technical &operationalimplications ofoutages &interruptions

Know potentialattack threat(s) &most likely damage.Understandinfrastructurevulnerabilities &their potential toaffect the network

Predictcrisis/attacklosses & networkvulnerabilitiesacross scope ofconflict

3.4D 3.5A 5, 6, 3

Conduct systemicanalysis of attackimplications.Interpret impactof outages &rapidly issuealternative plans

3.4D 3.5A3.4D

5, 6

H-14



Performance items6



Re-Certification

PrivilegedAccess

Pre-Reqs.or

Equivalent

TopicalAreas




OtherTriggers

Reqs.

& PoliciesUnderstandoperational priorities& which systems &infrastructuressupport them

Manage, predict,& rapidlyassimilate surge(crisis) users

3.5A 5, 6

Integrate tactical& strategicnetworks &security issues.

2.2D 6a, c

Plan & providemateriel fortransition tovaried operatingenvironments(garrison todeployed, etc.)

3.4C 3.5C 5, 6

Destructiontechniques

Produce standard& emergencyrestorral orders,destruction plans,& continuity oroperations plans

3.6D 5,6

Know user reqs. &network capabilities

Balance userreqs. againstnetworkcapacities (&mission rqmts)

3.3D 3.5C 1, 5


H-15



Performance items6



Re-Certification

PrivilegedAccess

Pre-Reqs.or

Equivalent

TopicalAreas




OtherTriggers

Reqs.

& PoliciesBudget mgmt. Able to create &

manage a budget2D

App. I. Threats & Vulnerability

I-1

Appendix I.Certification Requirements for

Threat and Vulnerability Assessments

I-2

Table 41. Certification Requirements for Threat & Vulnerability Assessment


Performance Items[Manage, Acquire, Design & Develop, Implement & Operate, Review &

Evaluate, Use, Other]

Func.

Spec. Demonstration Sign-OffCertification

Validity

Re-Certifica-

tion

PrivilegedAccess

Pre-Reqs.or

Equivalent

TopicalAreas

or Courses Knowledge Skills Abilities NIST TestOn-the-

JobCmd.-Level Admin.

OtherTriggers

Reqs.

& PoliciesThreatAssessment;Vulnerability;Red Team

DAACertificationMandated

Know state-of-the-artsecurity policies &policy models & theirapplications

NSTISSC4011

X X Unit CDR Every 18-24 Months

MajorSystemsChanges(e.g.,majorupdates

Req.: OSCertificationRequired or EnRoute

SA-L2SecretClrnc SA-L3 TSClearance

Knowledge of state-of-the-art securityapplications bothhardware & software

NSTISSC4012

Individual/Station Re-assignments (e.g., OSchange)


BackgroundInvestigation

In-depth knowledge ofprinciples ofcryptography &applicable methodsKnow datacommunicationstechnologies suchATM, Ethernet, etc.;ISO/OSI transmissionstandards; ATMtransmission standards

Recognize abnormaloperations. Recognizepotential threats

In-depth training onapplicable OS(s)

Highly skilled inconfiguring & operatingOS for security

Good understanding ofstate-of-the-art inFirewalls, Routers,Bridges, network &host-based intrusiondetection systems, etc.Thorough knowledge ofcurrent "approvedsecurity products."

Troubleshoot Problems Troubleshoot userproblems

Policy: Cmdrspecifiesadditional KSAvia annualtraining

App. I. Cert. Reqs. For Threats & Vulnerability

I-3





Func.


Validity

Re-Certifica-

tion

PrivilegedAccess

Pre-Reqs.or

Equivalent

TopicalAreas



OtherTriggers

Reqs.

& PoliciesKnowledge &understanding ofNational & local/agencypolicies (including legalaspects)

Good knowledge ofcurrent & past hackingtechniques

Maintenance ofcurrency in re-CERT,IAVAs, & vendorbulletins

Know Threat,Vulnerability, RiskMgmt. tools, methods,& policies

Ability to planexploitation operation toinclude impact onnetwork under attack

Know Monitoring rules,regulations, laws, &methodsAs required, know &understandsteganography,malicious logic, & otheresoteric "stuff"

Conduct vulnerabilityassessment/onlinesurvey & interpretresults

Coordinate, create &deliver in-brief & out-brief to appropriatepersonnel

Know & understandselected ISSO functionssuch as account mgmt.,audit reviews,underlyingpolicies/modelscurrently in useUnderstandcoordination proceduresfor computer networkvulnerabilityassessments/onlinesurveys

I-4





Func.


Validity

Re-Certifica-

tion

PrivilegedAccess

Pre-Reqs.or

Equivalent

TopicalAreas



OtherTriggers

Reqs.

& PoliciesIn-depth workingknowledge of network& host-based intrusiondetection systems &network monitoringdevicesTypes of attacks usedby intruders againstsystems & networks &implications for riskassessment

Highly skilled inanalyzing attacksagainst systems &networks

In-depth workingknowledge ofexploitation tools &techniques used byIntruders

Highly skilled in use oftools & techniques tocounter attacks againstsystems & networks inaccordance withincident handlingpolicies/procedures

Technical knowledge ofHW/SW vulnerabilitiesof OSs &/or DBMS(Team may be made upof individuals eachw/unique knowledge ofa different OS)

Analyze computernetwork configurationfrom security point ofview

Ability to lead smallerteams to solve complexsecurity problems

In-depth technicalknowledge of theinternet & webprotocols, applications,services, security issues,& host/system securityissues

Ability to identifycommon vulnerabilitiesin web products, i.e.HTML code & CGI,PERL, & JAVA

Very stronginterpersonal,organizational, &communication skills.Can make presentations,write proposals & plans,& interact with mgmt.& other organizations.

Explain complexproblems, events &solutions to senior mgrs.& decision makers

App. I. Cert. Reqs. For Threats & Vulnerability

I-5





Func.


Validity

Re-Certifica-

tion

PrivilegedAccess

Pre-Reqs.or

Equivalent

TopicalAreas



OtherTriggers

Reqs.

& PoliciesIn-depth knowledge ofDOD criticalinfrastructure (DCIP) &priority systems &networks

Advise higher mgmt. onIA & INFOSEC issues& recommendperformance & securityimprovements.

App. J. CERT

J-1

Appendix J.Certification Requirements for

Computer Emergency Response Team

J-2

Table 42. Certification Requirements for CERT


Performance Items

[Manage, Acquire, Design & Develop, Implement & Operate, Review &


Func.Spec. Demonstration Sign-Off

CertificationValidity

Re-Certification

PrivilegedAccess

Pre-Reqs.or

Equivalent

TopicalAreas

orCourses Knowledge Skills Abilities Test

On-the-Job

Cmd.-Level Admin.

OtherTriggers

Reqs.&

Policies

CERT-L1 (HelpDesk)

2-5 YearsOSExperience

IncidentHandlingCourse

CERT policies &procedures forhandling incidents,includingdocumentation &reporting (National,DOD, local)

Highly skilled inquickly identifyingnature of customerproblem &accuratelydetermining itssignificance

Ability tocommunicateeffectively throughwrittencommunication

X X CERTMgr.

Every 18-24Months

MajorSystemsChanges(e.g.,majorupdates)

Requirement:OS CertificationRequired; CERTCertificationRequired

SA-L2 Knowledge of coresecurity principles,concepts,applications, services& issues

Ability tocommunicateeffectively throughoral communication

Individual/ CERTReassignment(e.g., OSchange)



Knowledge ofINFOCON stages &requisiteresponses/actions ateach stage

Ability to effectivelyexplain, advise &directimplementation foreach INFOCON level

Ability to followpolicies & procedures

Ability to functioneffectively in adynamic teamenvironment

Policy: CERTMgr. specifiesadditional KSAvia annualtraining

CERT-L2 (IncidentHandler)

CERT-L1 IncidentHandlingCourse

Types of attacksused by intrudersagainst systems &networks &implications for riskassessment

Highly skilled inanalyzing attacksagainst systems &networks

Accurately document& report incidents

X X CERTMgr.

Every 18-24Months

MajorSystemsChanges(e.g.,majorupdates

OS CertificationRequired orEnroute


Vendorworkshops,conferences,discussions,

In-depth workingknowledge of tools &techniques used byIntruders

Highly skilled in useof tools & techniquesto counter attacksagainst systems &networks inaccordance withincident handlingpolicies/procedures

Ability to employappropriatecountermeasures toeffectively achievedesired outcome

Individual/StationRe-assignments (e.g.,OSchange)

Billets: must becoded

App. J. CERT

J-3


Performance Items





Re-Certification

PrivilegedAccess

Pre-Reqs.or

Equivalent

TopicalAreas


On-the-Job

Cmd.-Level Admin.

OtherTriggers

Reqs.&

Policies

Technical knowledgeof HW/SWvulnerabilities ofOSs (Team may bemade up ofindividuals eachw/unique knowledgeof a different OS)

Ability to leadsmaller teams tosolve complexsecurity problems

Policy: Cmdrspecifiesadditional KSAvia annualtraining

In-depth technicalknowledge of theinternet & webprotocols,applications,services, securityissues, &host/system securityissues

Ability to analyzeIAVA & other data &make adetermination of thehealth of the Team'soverall system/network(s)

Highly skilled inconfiguring &operating OS forsecurity

Test & evaluateincident handlingcountermeasures,includingprocedures, policies,tools & techniques

Incident Handlingorganizations &structure at Local,DOD, Federal,National,International levels

Ability to work as amember of a teamwhich includesexternal sites &elements

Working knowledgeof legal aspects ofincidenthandling/attackresponse

Knowledge of therole &responsibilities oflaw enforcement incomputer incidents

J-4


Performance Items





Re-Certification

PrivilegedAccess

Pre-Reqs.or

Equivalent

TopicalAreas


On-the-Job

Cmd.-Level Admin.

OtherTriggers

Reqs.&

Policies

CERT-L3 (Mgr.) At least 5Years OSExperience

Interact withvendors, otherCERTs, others toenhance securityfeatures of HW/SW

X X Unit CDR Every 18-24Months

Individual/ StationReassignment

OS CertificationRequired

2-3 yearsCERTIncidentHandlingexperience

Set local incidenthandling SOPs, &rules of engagement

Billets: must becoded

SA-L3/CERT-L2

Very stronginterpersonal,organizational, &communicationskills. Can makepresentations, writeproposals & plans, &interact with mgmt.& otherorganizations.

Explain complexproblems, events &solutions to seniormgrs. & decisionmakers

Top SecretClearance

In-depth knowledgeof DOD criticalinfrastructure(DCIP) & prioritysystems & networks

In-depth knowledgeof DoD security/IApolicy, CERTmember trainingreqs., & sources oftraining for CERTmembers

Ability to develop aneffective incidentresponse/incidenthandling team

Budget mgmt. forCERT operations

Ability to create,defend & manage abudget.

Manage conduct ofsystemic analysis ofattack implications

App. J. CERT

J-5


Performance Items





Re-Certification

PrivilegedAccess

Pre-Reqs.or

Equivalent

TopicalAreas


On-the-Job

Cmd.-Level Admin.

OtherTriggers

Reqs.&

Policies

Manage productionof standard &emergency restorralorders, destructionplans, & continuityof operations plans.

Advise higher mgmt.on IA & INFOSECissues & recommendperformance &securityimprovements.

App. K. Service/Agency Costs

K-1

Appendix K.Service/Agency Costs to Implement Recommendation

Table 43. Service/Agency Costs to Implement Recommendations

Cost by Recommendation

Service/Agency

Recomm. 1(See Section

2.1.1)Recomm. 9

(See Section 3.1.1)Recomm. 14

(See Section 3.3.2)Recomm. 18

(See Section 3.3.3)Total Cost by

Service/Agency

JCS No cost $25K No cost $25K

Army $3M $1M No cost $4M

Navy $5.5M $1.5M No cost $7M

Air Force $3M $1M No cost $4M

MarineCorps

$75K $0.5M No cost $575K

OSD DMDC - $50KCPMS -

Unknown

No cost Year 1 - $5MYears 2 –5 - $10M each

$45.05M

DIA $400K $750K Years 1-5:750K each $4.9M

NSA $500K $2.5M No cost $3M

DLA No cost $1.5M No cost $1.5M

WHS No cost No cost No cost No cost

DISA No cost $720K No cost $720K

NIMA No cost $720K No cost $720K

BMDO No cost $250K No cost $250K

IRMC $5.8M $5.8M

Total Cost by

Recommendation $12.525 $5.8M $10.465M $48.75M $77.5M

K-2

App. L. Schedule

L-1

Appendix L.Schedule of Recommendations

L-2

References

Refs-1

References

1996 Clinger-Cohen Act, Section 5125(C)(3).

Clinger-Cohen Competencies, revised 25 September 1998.

Defense Science Board. Report on Information Warfare – Defense. November 1996.

Department of Commerce, National Institute for Technology and Standards. NIST SpecialPublication 800-16, Information Technology Security Training Requirements: A Role-and Performance-Based Model.

Department of Defense. DODD 8500.xx, Information Assurance.

Department of Defense. Joint Vision 2010.http://www.dtic.mil/doctrine/jv2010/jvpub.htm

Department of Defense. NSTISSC National Training Standard Instructions.

Department of Defense. NSTISSI Number 4009, National Information Systems Security(INFOSEC) Glossary.

Department of Defense, Deputy Secretary of Defense. Memorandum: Department ofDefense Reform Initiative Directive #27 — DoD Computer Forensics Laboratory andTraining Program. 10 February 1998.

Department of Defense, Deputy Secretary of Defense. Memorandum: InformationVulnerability and the World Wide Web. 24 September 1998.

General Accounting Office. Information Security: Computer Attacks at Department ofDefense Pose Increasing Risks. GAO/AIMD-96-84. May 1996.

Inherently Governmental and Commercial Activities Inventory Report.

Office of Personnel Management. Recruiting and Retaining Information TechnologyProfessionals. [n.d.]

Office of the Secretary of Defense. [memorandum: Establishing the IT/IA IPT].September 22, 1998.

President of the United States. Executive Order 13111. January 1999.

NIST Special Publication 800-16, Information Technology Security Training Requirements: A Role-and Performance-Based Model, and the NSTISSC National Training Standard Instructions.

Refs-2

Acronyms & Abbrevs.

Acros-1

Acronyms and Abbreviations

.A&T Acquisition and TechnologyADP Automated Data ProcessingAIS Automated Information SystemsASD Assistant Secretary of Defense

BMDO Ballistic Missile Defense Organization

C2 command and controlC3I command, control, communications, and

intelligenceC4I command, control, communications,

computers, and intelligenceC-E Communications-ElectronicsCBT computer-based trainingCERT Computer Emergency Response TeamCF Career FieldCFO Chief Financial OfficerCINC commander in chiefCIO Chief Information OfficerCISN Computers, Information Systems and

NetworksCMF Career Management FieldCOL colonelCOO Chief Operations OfficerCPMS Civilian Personnel Management ServiceCT Cryptologic Technician

DAU Defense Acquisition UniversityDCIO Deputy Chief Information OfficerDEPSECDEF Deputy Secretary of DefenseDFAS Defense Finance and Accounting ServiceDIA Defense Intelligence AgencyDIAP Defense-Wide Information Assurance

ProgramDISA Defense Information Systems AgencyDLA Defense Logistics AgencyDMDC Defense Manpower Data CenterDP Data ProcessingDoD Department of DefenseDODD Department of Defense Directive

DoD IG Department of Defense InspectorGeneral

DSB Defense Science BoardDSS Defense Security Service

E- enlistedEO Executive OrderESOP Employee Stock Option Plans

FA Functional AreaFT Fireman TechnicianFY fiscal year

GAO General Accounting OfficeGAR grade adjusted recapitulationGPRA Government Performance and Reporting

ActGS General Schedule

HQ headquarters

IA information assuranceIG Inspector GeneralIGWG Inherently Governmental Working Group

INFOSEC Information SecurityINTEL intelligenceIO Information OperationsIPT Integrated Process TeamIRMC Information Resources Management

CollegeISSM Information System Security ManagerISSO Information System Security OfficerIT information technologyITM information technology managementIW information warfare

JMETL Joint Mission Essential Task ListJS Joint StaffJV Joint Vision

LTC lieutenant colonel

Acros-2

K thousand

M millionMAJ majorMOS Military Occupational Specialty

N/A not applicablen.d. no dateNDU National Defense UniversityNEC Naval Enlisted ClassificationNIMA National Imaging and Mapping AgencyNIST National Institute of Science and

TechnologyNPS Naval Postgraduate SchoolNSA National Security AgencyNSTISSC National Security Telecommunications

and Information Systems SecurityCommittee

NSTISSI National Security Telecommunicationsand Information Systems SecurityInstruction

O- officerOASD (C3I) Office of the Assistant Secretary of

Defense (Command, Control,Communications, and Intelligence)

OCS Officer Candidate SchoolODASD (CPP) Office of the Deputy Assistant Secretary

of Defense (Civilian Personnel Policy)ODASD (MPP) Office of the Deputy Assistant Secretary

of Defense (Military Personnel Policy)OJT on the job trainingOPM Office of Personnel ManagementOPMS Officer Personnel Management SystemOPTEMP operating tempoOSD Office of the Secretary of DefenseOUSD (A&T) Office of the Under Secretary of Defense

(Acquisition & Technology)OUSD (P&R) Office of the Under Secretary of Defense

(Personnel & Readiness)

PC personal computerPDD Presidential Decision DirectivePERSCOM Personnel CommandPERSTEMPO personnel tempoPOM Program Objective Memorandumppl peoplePRA Primary Review Authority

Q quarterQOL Quality of Life

RM RadiomanROTC Reserve Officer Training Corps

SES Senior Executive ServiceSOW Statement of WorkSRB Selective Reenlistment Bonuses

TBD to be determined

UJTL Universal Joint Task ListUSD Under Secretary of Defense

Web World Wide WebWESTHEM Western HemisphereWHS Washington Headquarters Service

Documents

Information Assurance and Information Technology: Training ... · This final report entital “Information Assurance and Information Technology: Training, Certification and Personnel